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Abstract 


Interprocess  communication  is  studied  without  assuming  any  lower-level 
communication  primitives.  Three  classes  of  communication  registers  are 
considered,  and  several  constructions  are  given  for  implementing  one  class 
of  register  with  a  weaker  class.  A  formalism  is  developed  for  reasoning  about 
concurrent  systems  that  does  not  assume  an  atomic  grain  of  action _ ^ 
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1  Introduction 


All  communication  ultimately  involves  a  communication  medium  whose 
state  is  changed  by  the  sender  and  observed  by  the  receiver.  A  sending 
processor  changes  the  voltage  on  a  wire  and  a  receiving  processor  observes 
the  voltage  change;  a  speaker  changes  the  vibrational  state  of  the  air  and  a 
listener  senses  this  change. 

Communication  acts  can  be  divided  into  two  classes:  transient  and  per¬ 
sistent.  In  a  transient  communication,  the  medium’s  state  is  changed  only 
for  the  duration  of  the  communication,  immediately  afterwards  reverting  to 
its  “normal”  state.  A  message  sent  on  an  ethemet  modifies  the  transmission 
medium’s  state  only  while  the  message  is  in  transit;  the  altered  state  of  the 
air  lasts  only  while  the  speaker  is  talking.  In  a  persistent  communication, 
the  state  change  remains  after  the  sender  has  finished  its  communication. 
Setting  a  voltage  level  on  a  wire,  writing  on  a  blackboard,  and  raising  a  flag 
on  a  flagpole  are  all  examples  of  persistent  communication. 

Transient  communication  is  possible  only  if  the  receiver  is  observing  the 
communication  medium  while  the  sender  is  modifying  it.  This  implies  an  a 
priori  synchronization — the  receiver  must  be  waiting  for  the  communication 
to  take  place.  Communication  between  truly  asynchronous  processes  must 
be  persistent,  the  sender  changing  the  state  of  the  medium  and  the  receiver 
able  to  sense  that  change  at  a  later  time. 

Message  passing  is  often  considered  to  be  a  form  of  transient  communi¬ 
cation  between  asynchronous  processes.  However,  a  closer  examination  of 
asynchronous  message  passing  reveals  that  it  involves  a  persistent  commu¬ 
nication.  Messages  are  placed  in  a  buffer  that  is  periodically  tested  by  the 
receiver.  Viewed  at  a  low  level,  message  passing  is  typically  accomplished 
by  putting  a  message  in  a  buffer  and  setting  an  interrupt  bit  that  is  tested 
on  every  machine  instruction.  The  receiving  process  actually  consists  of 
two  asynchronous  subprocesses:  a  main  process  that  is  usually  thought  of 
as  the  receiver,  and  an  input  process  that  continuously  monitors  the  com¬ 
munication  medium  and  puts  messages  in  the  buffer.  The  input  process 
is  synchronized  with  the  sender  (it  is  a  “slave”  process)  and  communicates 
asynchronously  with  the  main  process  using  the  buffer  as  a  medium  for 
persistent  communication. 

The  subject  of  this  paper  is  asynchronous  interprocess  communication,  so 
only  persistent  communication  is  considered.  Moreover,  I  will  restrict  myself 
to  unidirectional  communication,  in  which  only  a  single  process  can  modify 
the  state  of  the  medium.  With  this  restriction,  two-way  communication 


requires  at  least  two  separate  communication  media,  one  modified  by  each 
process.  However,  multiple  receivers  will  be  considered.  I  also  restrict  my 
attention  to  discrete  systems,  in  which  the  medium  has  a  finite  number 
of  distinguishable  states.  The  sender  can  therefore  set  the  medium  to  one 
of  a  fixed  number  of  persistent  states,  and  the  receiver(s)  can  observe  the 
^medium’s  state. 

^^The  form  of  persistent  communication  that  I  have  described  is  more 
commonly  known  as  a  shared  register,  where  the  sender  and  receiver  are 
called  the  writer  and  reader ,  respectively,  and  the  state  of  the  communication 
medium  is  known  as  the  value  of  the  register.  I  will  use  these  in  the  rest  of 
this  paper,  so  I  will  consider  finite-valued  registers  with  a  single  writer  and 
one  or  more  readers. 

While  the  practical  applications  of  the  algorithms  described  in  this  pa¬ 
per  will  be  to  “small”  register,  the  larger  purpose  is  to  develop  insight  into, 
and  formal  methods  for  reasoning  about,  nonatomic  operations  to  data  ob¬ 
jects.  In  the  realm  of  conventional  database  theory,  atomicity  is  usually 
called  “serializability” .  Moreover,  although  the  notation  used  in  describing 
the  algorithms  suggests  a  shared-memory  implementation,  these  are  really 
distributed  algorithms,  since  each  shared  register  is  modified  by  only  a  single 
process.  Thus,  the  results  described  here  can  be  regarded  as  a  preliminary 
investigation  of  nonserializable  operations  in  a  distributed  database. 

In  assuming  a  single  writer,  I  rule  out  the  possibility  of  concurrent  writes 
(to  the  same  register).  Since  a  reader  only  senses  the  value,  there  is  no  reason 
why  a  read  operation  must  interfere  with  another  read  or  write  operation. 
(While  reads  do  interfere  with  other  operations  in  some  forms  of  memory, 
such  as  magnetic  core,  this  interference  is  an  idiosyncrasy  of  the  particular 
technology  rather  than  an  inherent  property  of  reading.)  I  therefore  assume 
that  a  read  does  not  affect  any  other  read  or  any  write.  However,  it  is  not 
clear  what  effect  a  concurrent  write  should  have  on  a  read. 

In  concurrent  programming,  one  traditionally  assumes  that  a  writer  has 
exclusive  access  to  shared  data,  making  concurrent  reading  and  writing  im¬ 
possible.  This  assumption  is  enforced  either  by  requiring  the  programming 
language  to  provide  the  necessary  exclusive  access,  or  by  implementing  the 
exclusion  with  a  “readers-writers*  protocol  [3].  Such  an  approach  requires 
that  a  reader  must  wait  while  a  writer  is  accessing  the  register,  and  vice- 
versa.  Moreover,  any  method  for  achieving  such  exclusive  access,  whether 
implemented  by  the  programmer  or  the  compiler,  requires  a  lower-level 
shared  register.  At  some  level,  the  problem  of  concurrent  access  to  a  shared 
register  must  be  faced.  It  is  this  problem  that  will  be  addressed,  so  I  eschew 
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any  approach  that  requires  one  process  to  wait  for  another. 

Asynchronous  concurrent  access  to  shared  registers  is  usually  considered 
only  at  the  hardware  level,  so  it  is  at  this  level  that  the  methods  developed 
here  could  have  some  direct  application.  However,  concurrent  access  to 
shared  data  occurs  at  high  levels  of  abstraction.  One  cannot  allow  any 
single  process  exclusive  access  to  the  entire  social  security  system’s  database. 
While  algorithms  for  implementing  a  single  register  cannot  be  applied  to 
such  a  database,  I  hope  that  the  formalism  developed  for  analyzing  these 
algorithms  will  eventually  prove  useful  for  analyzing  concurrent  systems  at 
a  higher  level.  Nevertheless,  it  is  probably  best  to  think  of  a  register  as  a 
low-level  component,  probably  implemented  in  hardware,  when  reading  this 
paper. 

Hardware  implementations  of  asynchronous  communication  often  make 
assumptions  about  the  relative  speeds  of  the  communicating  processes.  Such 
assumptions  can  lead  to  simplifications.  For  example,  the  problem  of  con¬ 
structing  an  atomic  register,  discussed  below,  is  shown  to  be  easily  solved 
by  assuming  that  two  successive  reads  of  a  register  cannot  be  concurrent 
with  a  single  write.  If  one  knows  how  long  a  write  can  take,  a  delay  can  be 
added  between  successive  reads  to  ensure  that  this  assumption  holds.  The 
results,  therefore,  apply  even  to  communication  between  processes  of  vastly 
differing  speeds. 

I  therefore  make  no  assumptions  about  relative  process  speed  and  con¬ 
sider  a  shared  register  in  which  a  read  can  overlap  (be  concurrent  with) 
a  write.  Three  possible  assumptions  about  what  can  happen  when  a  read 
overlaps  one  or  more  writes  are  considered. 

The  weakest  possibility  is  a  safe  register,  in  which  the  only  assumption 
made  about  the  value  obtained  by  a  read  that  overlaps  a  write  is  that  the 
read  obtain  one  of  the  possible  values  of  the  register — for  example,  a  read 
of  a  boolean-valued  register  must  obtain  either  true  or  false.  A  read  that  is 
not  concurrent  with  a  write  is  assumed  to  obtain  the  correct  value — that  is, 
the  most  recently  written  one.  However,  a  read  that  overlaps  a  write  may 
return  any  possible  value. 

The  next  stronger  possibility  is  a  regular  register,  which  is  safe  (a  read 
not  concurrent  with  a  write  gets  the  correct  value)  and  in  which  a  read  that 
overlaps  a  write  obtains  either  the  old  or  new  value.  More  generally,  a  read 
that  overlaps  any  series  of  writes  obtains  either  the  value  before  the  first  of 
the  writes  or  one  of  the  values  being  written. 

The  final  possibility  is  an  atomic  register,  which  is  safe  and  in  which 
reads  and  writes  behave  as  if  they  occurred  in  some  definite  order.  In  other 
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words,  for  any  execution  of  the  system,  there  is  some  way  of  totally  ordering 
the  reads  and  writes  so  that  the  values  returned  by  the  reads  are  the  same 
as  if  the  operations  had  been  performed  in  that  order,  with  no  overlapping. 
(It  is  also  required  that  this  ordering  should  be  a  reasonable  one;  the  precise 
condition  is  stated  below.) 

A  regular  register  is  obviously  stronger  than  a  safe  one,  since  it  places  a 
condition  on  the  value  returned  by  a  read  that  overlaps  a  write.  An  atomic 
register  is  stronger  than  a  regular  one  because,  if  two  successive  reads  overlap 
the  same  write,  then  a  regular  register  allows  the  first  read  to  obtain  the 
new  value  and  the  second  read  the  old  value.  This  is  forbidden  in  an  atomic 
register,  in  which  the  only  allowed  possibilities  are  old-old,  new-new,  and 
old-new.  In  fact,  it  will  be  shown  that  a  regular  register  is  atomic  if  and 
only  if  two  successive  reads  that  overlap  the  same  write  cannot  obtain  the 
new  then  the  old  value.  Thus,  a  regular  register  is  automatically  an  atomic 
one  if  two  successive  reads  cannot  overlap  the  same  write. 

These  are  the  only  three  general  classes  of  register  that  I  have  been  able 
to  think  of.  Each  class  merits  study.  Safety  seems  to  be  the  weakest  require¬ 
ment  that  allows  useful  communication;  I  do  not  know  how  to  achieve  any 
form  of  interprocess  synchronization  with  a  weaker  assumption.  Regularity 
asserts  that  a  read  returns  a  “reasonable*  value,  and  seems  to  be  a  natural 
requirement.  Atomicity  is  the  most  common  assumption  made  about  shared 
registers,  and  is  provided  by  current  multiport  computer  memories.1  At  a 
lower  level,  such  as  interprocess  communication  within  a  single  chip,  only 
safe  registers  are  provided;  other  classes  of  register  must  be  implemented 
using  safe  ones. 

Any  method  of  implementing  a  single-writer  register  can  be  classified  by 
three  “coordinates”  with  the  following  values: 

•  safe,  regular,  or  atomic,  according  to  the  strongest  assumption  that 
the  register  satisfies. 

•  boolean  or  multivalued,  according  to  whether  the  method  produces 
only  boolean  registers  or  registers  with  any  desired  number  of  values. 

•  single-reader  or  multireader,  according  to  whether  the  method  yields 
registers  with  only  one  reader  or  with  any  desired  number  of  readers. 


This  produces  twelve  classes  of  implementations,  partially  ordered  by 
“strength” — for  example,  a  method  that  produces  atomic,  multivalued,  mul¬ 
tireader  registers  is  stronger  than  one  producing  regular,  multivalued,  single¬ 
reader  registers.  In  this  paper,  I  address  the  problem  of  implementing  a 
register  of  one  class  using  one  or  more  registers  of  a  weaker  class. 

The  weakest  class  of  register,  and  therefore  the  easiest  to  implement,  is 
a  safe,  boolean,  single-reader  one.  This  seems  to  be  the  most  natural  kind  of 
register  to  implement  with  current  hardware  technology,  requiring  only  that 
the  writer  set  a  voltage  level  either  high  or  low  and  that  the  reader  test  this 
level  without  disturbing  it.  A  series  of  constructions  of  stronger  registers 
from  weaker  ones  is  presented  that  allows  almost  every  class  of  register 
to  be  constructed  starting  from  this  weakest  class.  The  one  exception  is 
that  constructing  an  atomic,  multireader  register  from  any  weaker  one  is 
still  an  open  problem.  Most  of  the  constructions  are  simple;  the  difficult 
ones  are  Construction  4  that  implements  an  m-reader  multivalued  regular 
register  using  m-reader  boolean  regular  registers,  and  Construction  5  that 
implements  a  single-reader  multivalued  atomic  register  using  single-reader 
multivalued  regular  registers. 

2  The  Constructions 

In  this  section,  the  algorithms  for  constructing  different  classes  of  registers 
are  described  and  informally  justified.  Rigorous  correctness  proofs  are  post¬ 
poned  until  Section  4,  after  the  necessary  formalism  is  developed. 

The  algorithms  are  described  by  indicating  how  a  write  and  a  read  are 
performed.  I  will  not  bother  to  indicate  the  initial  state  of  the  shared 
registers — it  is  the  one  that  would  result  from  writing  the  initial  value  start¬ 
ing  from  any  arbitrary  state. 

The  first  construction  implements  a  multireader  safe  or  regular  register 
from  single-reader  ones.  It  uses  the  obvious  method  of  having  the  writer 
simply  maintain  a  separate  copy  of  the  register  for  each  reader.  The  for 
all  statement  denotes  that  its  body  is  executed  once  for  each  of  the  indi¬ 
cated  values  of  i;  these  separate  executions  can  be  done  in  any  order  or 
concurrently. 

Construction  1  Let  V\,  ...  ,  vm  be  single-reader,  n-valued  registers,  where 
each  Vi  can  be  written  by  the  same  writer  and  read  by  process  i,  and  construct 
a  single  n-valued  register  v  in  which  the  operation  v  :=  p  is  performed  as 
follows: 


for  all  t  in  {1, 
do  V{  :=  n  od 

and  process  i  reads  v  by  reading  the  value  of  v,-.  If  the  v,  are  safe  or  regular 
registers,  then  v  is  a  safe  or  regular  register,  respectively. 

Any  read  by  process  t  that  does  not  overlap  a  write  of  v  does  not  overlap 
a  write  of  v,-.  If  t>,  is  safe,  then  this  read  gets  the  correct  value,  which  shows 
that  v  is  safe.  If  a  read  of  vt-  by  process  t  overlaps  a  write  of  v,-,  then  it 
overlaps  the  write  of  the  same  value  to  v.  It  follows  easily  from  this  that,  if 
V{  is  regular,  then  v  is  also  regular. 

This  construction  does  not  make  v  an  atomic  register  even  if  the  vt-  are 
atomic.  If  reads  by  two  different  processes  t  and  j  both  overlap  the  same 
write,  it  is  possible  for  i  to  get  the  new  value  and  j  the  old  value  even  though 
the  read  by  »  precedes  the  read  by  j — a  possibility  not  allowed  by  an  atomic 
register. 

The  next  construction  is  also  trivial;  it  implements  an  n-bit  safe  register 
from  n  single-bit  ones. 

Construction  2  Let  v\,  ...  ,vn  be  boolean  m-reader  registers,  each  written 
by  the  same  writer  and  read  by  the  same  set  of  readers.  Let  v  be  the  2B- 
valued,  m-reader  register  in  which  the  number  with  binary  representation 
p.\ . . .  pn  is  written  by 

for  all  t  in  {1, . . . ,  m}  do  v(-  :=  m  od 

and  in  which  the  value  is  read  by  reading  all  the  t>,-.  If  each  vt-  is  safe,  then 
v  is  safe. 

The  register  v  is  not  regular  even  if  the  v,-  are.  A  read  can  return  any 
value  if  it  overlaps  a  write  that  changes  the  register’s  value  from  0...0  to 
1...1. 

The  next  construction  shows  that  it  is  trivial  to  implement  a  boolean 
regular  register  from  a  safe  boolean  register.  In  a  safe  register,  a  read  that 
overlaps  a  write  may  get  any  value,  while  in  a  regular  register  it  must  get 
either  the  old  or  new  value.  However,  a  read  of  a  safe  boolean  register 
must  obtain  either  true  or  false  on  any  read,  so  it  must  return  either  the 
old  or  new  value  if  it  overlaps  a  write  that  changes  the  value.  A  boolean 
safe  register  can  fail  to  be  regular  only  if  a  read  that  overlaps  a  write  that 
does  not  change  the  value  returns  the  other  (wrong)  value.  To  prevent  this 
possibility,  one  simply  does  not  perform  a  write  that  does  not  change  the 


Construction  S  Let  v  be  an  m -reader  boolean  register,  and  let  x  be  a  vari¬ 
able  internal  to  the  writer  (not  a  shared  register)  initially  equal  to  the  initial 
value  of  v.  Define  v*  to  be  the  m-reader  boolean  register  in  which  the  write 
operation  v*  :=  p  is  performed  as  follows: 


if  x  p  then  v 
x 

fi 


•-  p; 


:=  P 


and  a  read  of  v*  is  performed  by  reading  v.  If  v  is  safe  then  v*  is  regular. 


There  are  two  known  algorithms  for  implementing  a  multivalued  regular 
register  from  boolean  ones.  The  simpler  one  employs  a  unary  encoding,  in 
which  the  value  p  is  denoted  by  zeros  in  bits  0  through  p  —  1  and  a  one  in 
bit  p.  A  reader  reads  the  bits  from  left  to  right  (0  to  n)  until  it  finds  a  one. 
To  write  the  value  p,  the  writer  first  sc  ~  v^  to  one  and  then  sets  bits  p  -  1 
through  1  to  zero,  writing  from  right  to  left.  (The  idea  of  implementing 
shared  data  by  reading  and  writing  its  components  in  different  directions 
was  also  used  in  [4].) 


Construction  4  Let  vt,  . . .  ,  vn  be  boolean,  m-reader  registers,  and  let  v  be 
the  n-valued,  m-reader  register  in  which  the  operation  v  :=  p  is  performed 

by 

Vp  1/ 

for  i p  - l  step  -1  until  1  do  v,-  :=  0  od 
and  a  read  is  performed  by: 
p  :=  1; 

while  Vn  =  0  do  p  :=  p  +  1  od; 
return  p 

If  each  Vi  is  regular,  then  v  is  regular. 


The  correctness  of  this  algorithm  is  not  at  all  obvious.  Indeed,  it  is  not 
even  obvious  that  the  while  loop  in  the  read  operation  does  not  “fall  off 
the  end”  and  try  to  read  the  nonexistent  register  un+j.  This  can’t  happen 
because,  whenever  the  writer  writes  a  zero,  there  is  a  one  to  the  right  of 
it.  (Since  I  am  assuming  that  an  initial  value  has  been  written,  some  v,- 
initially  equals  one.)  As  an  exercise,  the  reader  of  this  paper  can  convince 
himself  that,  whenever  a  reading  process  sees  a  one,  it  was  written  by  cither 
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a  concurrent  write  or  by  the  most  recent  preceding  one,  so  v  is  regular.  The 
formal  proof  is  given  in  Section  4. 

The  value  of  vn  is  only  set  to  one,  never  to  zero.  It  can,  therefore,  be 
eliminated;  the  writer  simply  never  writes  it  and  the  reader  assumes  its  value 
is  one  instead  of  reading  it.  I  will  not  bother  writing  down  this  modification. 

Even  if  all  the  v,-  are  atomic,  Construction  4  does  not  produce  an  atomic 
register.  To  see  this,  suppose  that  the  register  initially  has  the  value  3,  so 
vt  =  V2  =  0  and  iq  =  1,  the  writer  first  writes  the  value  1  then  the  value  2, 
and  there  are  two  successive  read  operations.  This  can  produce  the  following 
sequence  of  actions: 

•  the  first  read  finds  tq  =  0 

•  the  first  write  sets  tq  :=  1 

•  the  second  write  sets  tq  :=  1 

•  the  first  read  finds  tq  =  1  and  returns  the  value  2 

•  the  second  read  finds  tq  =  1  and  returns  the  value  1. 

In  this  scenario,  the  first  read  obtains  a  newer  value  (the  one  written  by  the 
second  write)  than  the  second  read  (which  obtains  the  one  written  by  the 
first  write),  even  though  it  precedes  the  second  read.  This  shows  that  the 
register  is  not  atomic. 

Construction  4  uses  n  -  1  boolean  regular  registers  to  make  an  n-valued 
one,  so  it  is  practical  only  for  small  values  of  n.  We  would  like  an  algorithm 
that  requires  O(logn)  boolean  registers  to  construct  an  n-valued  register. 
The  second  method  for  constructing  a  regular  multivalued  register  uses  an 
algorithm  of  Peterson  (11]  that  implements  an  m-reader  n-valued  atomic 
register  with  m  +  2  safe  m-reader  registers;  2m  atomic  boolean  2-reader 
registers,  and  two  atomic  boolean  m-reader  registers.  There  is  no  known  al¬ 
gorithm  for  constructing  multivalued  m-reader  atomic  registers  from  simpler 
ones.  However,  we  can  apply  Peterson’s  algorithm  to  construct  an  n-valued 
single-reader  atomic  register  using  three  safe  single-reader  n-valued  registers 
and  four  single-reader  atomic  boolean  registers.  The  safe  registers  can  be 
implemented  with  Construction  2,  and  the  atomic  boolean  registers  can  be 
implemented  with  Construction  5  below.  Since  an  atomic  register  is  regu¬ 
lar,  Construction  1  can  then  be  used  to  make  an  m-reader  n-valued  regular 
register  from  0(3m  log  n)  single-reader  boolean  regular  registers. 


Before  giving  the  algorithm  for  constructing  a  two-reader  atomic  register, 

I  prove  a  result  that  indicates  why  no  trivial  algorithm  will  work.  It  asserts 
that  there  can  be  no  algorithm  in  which  the  writer  only  writes  and  the  reader 
only  reads;  any  algorithm  must  involve  two-way  communication  between  the 
reader  and  the  writer. 

Theorem:  There  exists  no  algorithm  to  implement  an  atomic  register  using 
only  a  finite  number  of  regular  registers  that  can  be  written  by  the  writer  (of 
the  atomic  register). 

Proof-.  I  assume  such  an  algorithm  and  derive  a  contradiction.  Without 
loss  of  generality,  I  can  assume  that  there  is  only  a  single  regular  register  v 
written  by  the  writer  and  read  by  the  reader.  (Any  algorithm  that  works 
with  multiple  registers  must  also  work  when  those  registers  are  combined 
into  a  single  large  regular  register.) 

Let  v*  denote  the  atomic  register  that  is  being  implemented.  Suppose 
that  the  writer  performs  an  infinite  number  of  writes  that  change  the  value 
of  v *.  There  must  be  some  pair  of  values  assumed  by  t;*,  call  them  0  and  1, 
such  that  there  are  an  infinite  number  of  writes  that  change  u*’s  value  from 
0  to  1.  Since  v  can  assume  only  a  finite  number  of  values  (the  hypothesis 
states  that  the  original  algorithm  has  only  a  finite  number  of  registers,  and 
all  registers  are  taken  to  have  only  a  finite  number  of  possible  values),  there 
must  exist  values  v0,  ...  ,  of  v  such  that  vq  is  the  final  value  of  v  after 
each  one  of  an  infinite  number  of  writes  of  0  to  v*,  t/n  is  the  final  value  of  v 
after  each  one  of  an  infinite  number  of  writes  of  1  to  u*,  and,  for  each  t  <  n, 
the  value  of  v  is  changed  from  t;,-  to  v,+j  during  infinitely  many  writes  that 
change  the  value  of  v*  from  0  to  1. 

A  read  of  v *  may  involve  several  reads  of  v.  However,  by  considering  only 
scenarios  in  which  each  of  those  reads  of  v  obtains  the  same  value,  we  may 
assume  that  each  read  of  v*  reads  v  only  once.  Since  v  assumes  each  value 
V{  infinitely  often,  it  must  be  possible  for  a  sequence  of  n  +  1  consecutive 
reads  to  obtain  the  values  vn,  un_j,  ...  ,  t)j. 

The  read  that  finds  v  equal  to  u,-  and  the  subsequent  read  that  finds  t; 
equal  to  v,-!  could  both  have  overlapped  the  same  write  of  v ,  which  could 
have  been  a  write  that  occurred  in  the  process  of  changing  v*’s  value  from 
0  to  1.  Therefore,  if  the  read  of  v *  that  finds  v  equal  to  u,-  returns  the  value 
1,  then  the  subsequent  read  that  finds  v  equal  to  u,_i  must  also  return  the 
value  1,  since  both  reads  could  be  overlapping  the  same  write  and,  in  that 
case,  two  successive  reads  of  an  atomic  register  cannot  return  first  the  new 
value,  then  the  old. 
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The  first  read,  which  finds  v  equal  to  t>„,  must  return  the  value  1,  since 
it  could  have  occurred  after  the  completion  of  a  write  of  1.  By  induction, 
this  implies  that  the  last  read,  which  found  v  equal  to  t>o,  must  return  the 
value  1 .  However,  this  read  could  have  occurred  after  a  write  of  0  and  before 
any  subsequent  write,  so  returning  the  value  1  would  violate  the  assumption 
that  the  register  v *  is  safe.  (An  atomic  register  is  a  fortiori  safe.)  This  is 
the  required  contradiction.  I 

This  theorem  could  be  expressed  and  proved  using  the  formalism  devel¬ 
oped  below,  but  doing  so  would  lead  to  no  new  insight.  The  formal  proof  of 
this  theorem  is  therefore  left  as  an  exercise  for  the  compulsive  reader. 

The  theorem  is  false  if  no  bound  is  placed  on  the  number  of  values  a 
register  can  hold.  Given  a  regular  register  t;  that  can  assume  an  unbounded 
number  of  values,  an  atomic  register  v*  is  implemented  as  follows.  The 
writer  sets  v  equal  to  a  pair  consisting  of  the  value  of  v*  and  a  sequential 
version  number.  The  reader  reads  v  and  compares  the  version  number  with 
the  previous  one  it  read.  If  the  new  version  number  is  higher,  then  it  uses 
the  value  it  just  read;  if  the  new  version  number  is  lower,  then  it  forgets 
the  value  and  version  number  it  just  read  and  uses  the  previously  read 
value.  The  correctness  of  this  algorithm  follows  easily  from  Proposition  9  of 
Section  3.3.  By  assuming  registers  hold  only  a  bounded  set  of  values,  I  am 
disallowing  such  algorithms. 

Finally,  we  come  io  the  algorithm  for  constructing  a  single-reader  atomic 
register  from  regular  ones.  To  begin,  we  try  to  implement  an  atomic  register 
v*  with  a  regular  register  v  that  holds  a  pair  of  values,  both  normally  equal. 
When  v  is  changed  from  (i/,  v )  (denoting  o*  =  u)  to  (p,p)  (denoting  o*  =  p), 
it  is  first  set  to  the  intermediate  value  (i/,p).  The  reader  reads  v  and  returns 
the  first  component  unless  it  obtains  (v,p)  after  having  returned  the  value  p 
the  last  time,  in  which  case  it  must  return  the  value  p  to  avoid  a  “new-old” 
sequence. 

The  preceding  theorem  shows  that  this  idea,  by  itself,  is  not  enough. 
The  reader  is  in  a  quandary  if  three  successive  reads  of  t;  obtain  the  values 
(p,p),  (j/,p),  and  (v,v).  The  first  read  simply  returns  p;  as  I  just  observed, 
the  second  read  must  also  return  p;  but  what  can  the  third  read  return? 
The  second  and  third  reads  could  both  have  overlapped  a  single  write  that  is 
changing  the  value  from  v  to  p,  so  returning  v  would  produce  a  new-old  se¬ 
quence.  On  the  other  hand,  the  third  read  could  have  seen  a  completely  new 
value,  written  long  after  the  write  that  overlapped  the  second  read,  so  re- 


turning  ft  could  violate  safety — the  requirement  that  a  read  not  overlapping 
any  write  return  the  correct  value. 

To  overcome  this  problem,  I  add  another  bit  to  v,  which  1  will  call  the 
color  value.  When  the  reader  reads  v,  it  sets  a  shared  one-bit  register  cr 
to  it’s  color  value.  The  writer  first  reads  the  register  cr  and  sets  v  to  the 
opposite  color.  (Thus,  the  reader  tries  to  make  cr  and  v's  color  the  same, 
and  the  writer  tries  to  make  them  different.)  The  reader  interprets  (t/,  ft)  as 
a  ft  only  if  its  previous  read  saw  a  ft  of  the  same  color.  The  only  source  of 
embarrassment  is  now  if  three  successive  reads  return  values  (ft,  ft),  ( v,ft ), 
and  (v,  v)  that  are  all  the  same  color.  It  will  be  shown  in  Section  4  that  this 
can  happen  only  if  the  last  read  actually  overlaps  the  write  of  (i ',p),  so  it  is 
allowed  to  return  the  value  ft  without  violating  the  safety  requirement. 

In  the  following  construction,  the  variable  cr  is  written  by  the  reader 
and  read  by  both  the  reader  and  the  writer.  A  two-reader  register  is  not 
needed,  since  the  reader  can  maintain  a  local  variable  containing  the  value 
that  it  last  wrote  into  cr.  (This  is  just  Construction  1  with  m  =  2  and  the 
writer  being  the  second  reader.)  Such  a  local  variable  would  complicate  the 
description,  so  it  is  omitted.  In  the  reader’s  program,  the  primed  variables 
denote  the  values  read  the  previous  time,  except  that,  if  the  reader  reads 
{ft,  ft)  then  {u,ft),  both  with  the  same  color,  then  it  “forgets  about*  the 
latter  value. 

Construction  5  Let  V  be  an  n-element  set;  let  w  and  r  be  processes;  let 
v,cw  denote  a  single  In2 -valued  register  that  can  be  written  by  w  and  read 
by  r,  where  v  has  a  value  in  M  x  "V  and  cw  is  boolean  valued;  and  let  cr  be  a 
boolean  register  that  can  be  written  by  r  and  read  by  w.  Define  the  n-valued 
register  v* ,  with  values  in  "V ,  written  by  w  and  read  by  r  by  letting  the  write 
v*  :=  ft  be  performed  by: 

v,cw  :=  (vi,ft),->cr; 

v,cw  :=  (ft,ft),cw 

and  letting  the  read  operation  be  performed  by  the  program  of  Figure  1,  where 
x  and  x 1  are  local  variables  with  values  in  V  x  V ,  cr'  is  a  boolean-valued  local 
variable,  and  rtn  is  a  local  variable  with  values  in  V  whose  final  value  is  the 
one  returned  by  the  read.  Initially,  x',c r1  equals  (v,cw)I°l. 


then  if  xi  *  x2 

then  If  x\  =  a:',  ±  x2  A  rtn  =  x'2 
then  skip 
else  x'  :=  x; 
rtn  :=  Xi 

fi 

else  If  (x  =b  *'  A  rtn  =  X2)  V  x\  =  x2  =  X2 
then  x'  :=  x; 

rtn  :s=  X2 
else  x'  :=  x; 
rtn  :=  Xi 

fi 

fi 

else  x',cr'  :=  x,cr; 
rtn  :=  Xi 


Figure  1:  Construction  5:  the  reader’s  algorithm 


3  The  Formal  Model 

3.1  System  Executions 

Almost  all  models  of  concurrent  processes  are  based  upon  indivisible  atomic 
actions  as  their  primitive  elements.  For  example,  models  in  which  a  process 
is  represented  by  a  sequence  or  “trace”  [1,12,13]  assume  that  each  element 
in  the  sequence  represents  an  indivisible  action.  Net  models  [2]  and  re¬ 
lated  formalisms  [9,10]  assume  that  the  firing  of  an  individual  transition  is 
atomic.  Operations  to  a  nonatomic  shared  register  cannot  be  modeled  as 
atomic  actions,  since  these  formalisms  have  no  concept  of  two  atomic  actions 
overlapping  in  time. 

One  can  model  a  single  read  or  write  operation  with  two  atomic  actions: 
a  start  and  a  finish  action.  I  will  employ  such  a  mode)  to  motivate  the 
formalism.  However,  in  the  general  view  of  physical  systems  based  upon 
special  relativity  that  is  discussed  in  two  of  my  works  [7,5],  there  may  be 
no  single  real  event  that  precedes  all  other  events  in  the  operation,  and  no 
single  event  that  follows  all  others.  I  will  show  that  assuming  such  fictitious 
start  and  finish  events  would  result  in  no  loss  of  generality.  However,  it 
turns  out  to  be  easier  to  reason  directly  in  terms  of  the  nonatomic  actions 
than  to  use  starting  and  finishing  events. 

I  therefore  eschew  more  conventional  formalisms  in  favor  of  one  intro¬ 
duced  in  [6]  and  refined  in  [5],  in  which  the  primitive  elements  are  operation 
executions  that  are  not  assumed  to  be  atomic.  In  this  formalism,  an  execu¬ 
tion  of  a  system  is  represented  as  a  triple  S, — -  ■*,  where  S  is  a  finite  or 
countably  infinite  set  of  operation  executions,  and  — *  and  are  prece¬ 
dence  relations  on  $. 

The  most  general  way  of  viewing  the  formalism  is  to  consider  an  opera¬ 
tion  execution  to  be  a  set  of  points  in  four-dimensional  space-time.  Such  a 
view  is  provided  in  [5].  While  using  the  same  formalism  as  [5],  I  will  employ 
a  less  general  but  more  intuitive  model.  In  this  model,  an  operation  exe¬ 
cution  A  is  thought  of  as  an  activity  performed  during  some  time  interval 
[*At/.4].  where  the  real  numbers  a  a  &nd  fA  are  the  starting  and  finishing 
times  of  A.  I  assume  that,  at  any  time,  only  a  finite  number  of  operation 
executions  have  begun.  Stated  formally,  a  model  consists  of  a  set  5  of  op¬ 
eration  executions,  together  with  real-valued  functions  a  and  f  on  S  such 
that  the  following  conditions  hold  for  all  A  and  B  in  S  (where  I  write  sA 
and  fA  instead  of  a(A)  and  f(A)): 

Ml.  a*  <  fA 
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M2,  for  any  real  number  t:  {A  :  a  a  <  <}  is  finite 

An  operation  execution  A  is  said  to  be  instantaneous  if,  for  any  B  /  A,  the 
numbers  s#  and  /a  lie  outside  the  interval  [sa,/a\-  Thus,  A  is  instantaneous 
if  and  only  if  we  can  set  s\  equal  to  /a  (shrinking  the  interval  to  a  point) 
without  changing  the  relative  order  of  any  starting  and  finishing  times. 
Given  such  a  model,  we  can  define  the  relations  — »  and - •  as  follows: 

A  — ♦  B  =  fA<  sb 

A-  -  -  B  =  sA  <  fs  (1) 

Thus,  A  — ►  B  means  that  A  finishes  before  B  starts,  and  A - *  B  means 

that  A  starts  no  later  than  B  finishes.  We  read  A  — *  B  as  “A  precedes  BA 
and  A - *  B  as  “ A  ctua  affect  BA . 

Ml,  M2  and  (1)  imply  that  the  following  hold  for  all  operation  executions 
A,  B,  C,  and  D  in  $: 

Al.  The  relation  — ►  is  an  irreflexive  partial  ordering. 

A2.  If  A  — *  B  then  A - •  B  and  B  A. 

A3.  If  A  — ♦  B - >  C  or  A - -  B  — ♦  C  then  A - -  C. 

A4.  If  A  — ♦  B  --  -  C  — *  D  then  A  — *  D. 

A5.  For  any  A,  the  set  of  all  B  such  that  A  -J-*  B  is  finite. 

Instead  of  basing  the  formalism  on  this  model,  I  adopt  the  more  general 
view  of  [5]  and  take  A1-A5  as  axioms. 

Definition  1  A  system  execution  is  a  triple  S, — such  that  S  is  a 
finite  or  countably  infinite  set  and  — »  and  -  --are  relations  on  S  that 
satisfy  A1-A5. 

Observe  that  Al  and  A4  imply  that  if  A  — ♦  B  and  A--  -  B  then  B  -  /  -»  A, 
so  the  “and  B  -  A*  in  A2  is  superfluous. 

Definition  1  differs  from  the  definition  of  a  system  execution  given  in  [5] 
because  I  am  considering  only  terminating  operations.  In  the  more  general 
formalism,  Axiom  A5  needs  the  hypothesis  that  A  terminates. 

Definition  2  A  global-time  model  of  a  system  execution  S,—*, — ♦  con¬ 
sists  of  a  pair  s,  f  of  real-valued  functions  on  S  satisfying  Ml,  MS  and  (1). 
It  is  said  to  be  nondegenerate  if,  for  all  A:  aA  <  Sa  and  for  all  B  ^  A: 
*a  7*  »B  and  sa  #  fe- 


A  nondegenerate  global-time  model  is  one  in  which  no  two  starting  or 
stopping  times  arc  identical.  The  following  result  states  that  any  global¬ 
time  model  can  be  turned  into  a  nondegenerate  one  by  tiny  perturbations  of 
the  starting  and  finishing  times  of  operation  executions.  Such  perturbations 
should  be  allowed,  since  no  physically  meaningful  result  could  depend  upon 
completely  accurate  knowledge  of  these  times.  (It  makes  no  physical  sense 
to  specify  the  starting  and  finishing  times  of  an  operation  execution  down 
to  the  fraction  of  a  micropicosecond.) 

Proposition  1  For  any  any  global-time  model  s,f  of  a  system  execution  S, 

— ►, - *  and  any  t  >  0,  there  exists  a  nondegenerate  global-time  models',  f 

of  S, — such  that  -  *a\  <  t  and  \fA  -  f*\  <  t  for  all  A  €  S . 

The  proofs  of  this  and  all  other  propositions  stated  in  this  section  are 
given  in  the  appendix. 

In  a  global-time  model,  the  starting  and  finishing  times  of  operations 
are  totally  ordered.  Given  two  operation  executions  A  and  B,  sg  must  be 
either  greater  than  or  not  greater  than  fA,  so  the  following  condition  holds. 

A#.  For  any  operation  executions  A  and  B  with  A  #  B:  A  — ♦  B  or 
B--  +  A. 

This  condition  does  not  hold  for  all  system  executions.  (Trivial  counterex¬ 
amples  are  obtained  by  noting  that  the  empty  precedence  relations  make  any 
set  a  system  execution.)  Condition  A#  holds  only  if  there  is  a  global-time 
model. 

Proposition  2  A  system  execution  S, — *, - >  has  a  global-time  model  if 

and  only  if  A#  holds. 

In  the  more  general  interpretation  of  operation  executions  given  in  [5], 
condition  A#  fails  to  hold  for  a  pair  of  operation  executions  A,  B  if  A  and 
B  occur  at  spatially  separated  locations,  and  they  both  happen  within  a 
time  interval  that  is  less  than  the  time  needed  for  light  to  travel  between 
their  locations.  In  most  systems  of  practical  interest,  A#  holds  for  almost 
all  pairs  A,  B  of  operation  executions. 

The  following  result  shows  that  we  can  get  a  global-time  model  by  adding 
extra  precedence  relations. 

Proposition  S  Given  any  system  execution  S, — ►, »,  there  exist  exten¬ 
sions  — — •  of  — *  and  -  -  •*  of-  -  -  such  that  S  -+  is  a  system  execution 
satisfying  A4. 


Later,  1  will  indicate  why  we  can  consider  the  system  execution  S ,  — » 
-  -*  to  be  a  reasonable  way  of  viewing  the  system  execution  S, — ►  , - ». 

A  system  execution  satisfying  A#  is  maximal  in  the  sense  that  no  addi¬ 
tional  — *  or - *  relations  can  be  added.  This  is  because,  for  any  pair  of 

distinct  operation  executions  A  and  B,  A#  implies  that  either  A  — ►  B,  or 

B  — *  A,  or  A - >  B  and  B - •  A.  In  any  of  these  three  cases,  adding  an 

additional  precedence  relation  would  violate  A1  or  A2. 

When  trying  to  understand  an  algorithm  or  its  correctness  proof,  it  is 
useful  to  think  in  terms  of  a  global-time  model,  drawing  pictures  of  reads  and 
writes  as  time  intervals.  However,  I  find  that  the  best  way  to  formalize  the 
proof  is  to  use  Axioms  A1-A5.  The  additional  assumption  A#,  implicitly 
introduced  when  using  a  global-time  model,  is  not  needed. 

3.2  Hierarchical  Views 

The  same  system  can  be  viewed  at  different  levels  of  detail,  with  differ¬ 
ent  operation  executions  at  each  level.  Viewed  at  the  customer’s  level, 
a  banking  system  has  operation  executions  such  as  deposit  $10.  Viewed 
at  the  programmer’s  level,  this  same  system  executes  operations  such  as 
dep.amt[cust]  :=  1000.  The  fundamental  problem  of  system  building  is 
to  implement  one  system  (like  a  banking  system)  as  a  higher-level  view  of 
another  system  (like  a  Pascal  program). 

A  higher-level  operation  consists  of  a  set  of  lower-level  operations — the 
set  of  operations  that  implement  it.  Let  S, — be  a  system  execution 
and  let  X  be  a  set  whose  elements,  called  higher-level  operation  executions, 
are  sets  of  operation  executions  from  S.  We  consider  the  starting  time  sjj 
of  a  higher-level  operation  execution  H  to  be  the  earliest  starting  time  of  all 
the  operation  executions  it  contains,  and  its  finishing  time  JJj  to  be  their 
latest  finishing  time.  In  other  words,  for  every  H  in  X: 

Sjf  =  minfs^  :  A  € 

ft,  =  max(/x  :  A  €  #}  (2) 

In  order  for  this  to  define  real-valued  functions  s'  and  /*  on  X  that  satisfy 
Ml  and  M2,  it  is  sufficient  for  X  to  satisfy  the  following  two  conditions: 

HI.  Each  element  of  X  is  a  finite,  nonempty  set  of  elements  of  5. 

H2.  Each  element  of  S  belongs  to  a  finite,  nonzero  number  of  elements  of 

X. 


16 


A  set  H  of  subsets  of  S  satisfying  HI  and  H2  is  called  a  higher-level  view 

of  5.  In  most  cases  of  interest,  H  is  a  partition  of  S,  so  each  element  of 

S  belongs  to  exactly  one  element  of  M.  However,  I  allow  the  more  general 
case  in  which  a  single  lower-level  operation  execution  is  viewed  as  part  of 
the  implementation  of  more  than  one  higher-level  one. 

Let  S, — >, - *  be  a  system  execution  with  a  global-time  model  a,  /,  and 

let  H  be  a  higher-level  view  of  S.  We  can  define  a*  and  /*  by  (2)  and  then 
use  (1)  to  define  and  obtaining  a  system  execution 
having  «*,  /*  as  a  global-time  model.  The  precedence  relations  — — ►  and  --•* 
can  be  obtained  directly  from  — *  and - 'as  follows: 

G-^-*H  =  VAGG  :VB  €  H  :  A  — ►  B 

G --■*  H  s  3A  €  G  :3B  €  H  :  A--->  B  or  A  =  B  (3) 

We  can  forget  about  the  global-time  models  and  take  (3)  to  be  the  definitions 
of  ——  and  -  It  is  easy  to  show  that,  if  U  satisfies  Hi  and  H2  and  — ► 
and  -  -  •*  satisfy  A1-A5,  then  —>  and  also  satisfy  A1-A5.  Therefore,  if 

M  is  a  higher-level  view  of  S,  then  -  -•  is  a  system  execution.  If  the 

relations  — *  and - •  also  satisfy  A#,  then  so  do  and  -  - 

Let  us  now  consider  what  it  means  for  one  system  to  implement  another. 
If  the  system  execution  S, — is  an  implementation  of  a  system  execu- 
tion  S, — then  we  expect  If  to  be  a  higher-level  view  of  S — that  is, 
each  operation  in  H  should  consist  of  a  set  of  operation  executions  of  S  sat¬ 
isfying  HI  and  H2.  This  describes  the  elements  of  U,  but  not  the  precedence 
relations  — *  and  -  -  What  should  those  relations  be? 

If  we  consider  the  system  execution  S  to  be  the  “real”  one  and  H  to  be 
a  fictitious  grouping  of  the  real  operation  executions  into  abstract,  higher- 
level  ones,  then  the  induced  relations  and  -  -  ■*  are  the  “real”  precedence 
relations  on  M.  These  induced  relations  make  the  higher-level  view  U  a  sys- 
tern  execution,  so  they  are  an  obvious  choice  for  the  relations  — *  and  -  - 
However,  they  may  not  be  the  proper  choice.  Suppose  that  we  are  trying  to 
implement  an  atomic  register  using  several  simpler  ones,  and  consider  a  read 
R  and  write  W  to  that  register — that  is,  R  and  W  are  operation  executions 
in  M  that  represent  a  read  and  write  to  the  register.  Atomicity  means  that 
either  R  —*  W  or  W  — ►  R.  However,  the  two  operation  executions  could 
really  be  concurrent.  For  example,  there  could  be  some  operation  executions 
A  and  B  in  the  implementation  of  R  and  an  operation  execution  C  in  the 
implementation  of  W  with  A  — ♦  C  — *  B,  which  (by  (3))  implies  R--  +  W 


and  W  -  -  ■*  R.  Thus,  (by  A2)  the  induced  relations  and  -  -  *  cannot  be 

y  y 

the  desired  relations  — ►  and - *. 

When  implementing  an  atomic  register  from  nonatomic  ones,  in  addition 
to  specifying  what  set  of  lower-level  operation  executions  corresponds  to  an 
atomic  read  or  write,  one  must  also  specify  how  to  determine  whether  a 
read,  which  may  really  be  concurrent  with  a  write  (according  to  the  induced 
relations  — and  -  -  -*),  is  considered  to  precede  or  follow  that  write.  This 
must  be  specified  in  such  a  way  that  the  register  satisfies  the  condition  of 
atomicity — namely,  that  each  read  obtains  the  value  written  by  the  most 
recent  write.  Subject  to  that  requirement,  there  is  a  great  deal  of  freedom 

y 

in  specifying  the  high-level  relation  — ►. 

The  implementor  cannot  be  completely  free  to  specify  the  precedence 
relations  in  the  high-level  system  any  way  he  wishes.  For  example,  if  there 
is  at  least  one  write  of  every  possible  value  of  the  register,  then  any  system 
execution  can  be  viewed  as  the  implementation  of  an  atomic  register  by 
choosing  the  — - *  relation  to  be  a  sequential  ordering  of  the  reads  and  writes 
in  which  every  read  comes  between  any  write  of  the  value  it  read  and  the 
next  write  operation.  This  could  lead  to  a  precedence  relation  in  which 
an  operation  is  defined  to  precede  one  that  really  occurred  several  months 
earlier.  Such  a  precedence  relation  obviously  seems  absurd,  but  why?  In 
a  real  system,  these  reads  and  writes  occur  deep  within  the  computer;  we 
never  actually  see  them  happen.  What  is  wrong  with  defining  the  precedence 
relation  — ►  to  pretend  that  these  operation  executions  happened  in  any 
order  we  wish?  After  all,  we  are  already  pretending,  contrary  to  fact,  that 
the  operations  are  not  concurrent. 

In  addition  to  reads  and  writes  to  registers,  real  systems  perform  ex¬ 
ternally  observable  operation  executions  such  as  printing  on  terminals.  By 
observing  these  operation  executions,  we  can  infer  some  precedence  relations 
among  the  internal  reads  and  writes.  We  need  some  condition  on  and 
-  -  -*  to  rule  out  precedence  relations  that  contradict  such  observations. 

These  contradictions  are  avoided  by  requiring  that  the  interval  in  which 
we  pretend  an  operation  execution  occurs  (in  forming  the  and  -  -  -*  rela¬ 
tions)  be  contained  within  the  interval  in  which  it  actually  occurs.  In  other 
words,  we  require  that  a  global-time  model  sM ,fH  for  -  -*  satisfy 

s  s  fi  <  n  H) 

where  s *  and  /*  are  defined  by  (2).  To  reformulate  (4)  directly  in  terms  of 
the  precedence  relations,  I  appeal  to  the  following  result. 
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Proposition  4  Let  s,f  be  a  nondegenerate  global-time  model  for  a  system 

execution  S, — ►, - *  and  let  S , — be  a  system  execution  satisfying  A# 

such  that  for  any  A,B  6  S:  A  — »  B  implies  A  B.  Then  there  exists 
a  nondegenerate  global-time  model  a1,/'  for  S,— «ucA  that,  for  all 
A€  S: 

This  result  implies  that,  if  the  system  executions  S, — ►, - ♦  and 

---  both  satisfy  A#,  then  the  ability  to  choose  su  and  fM  satisfying  (4)  is 
equivalent  to  the  following  condition: 

H3.  For  any  G,H  €  H:  if  G  -^-*  H  then  G  H,  where  -L-  is  defined  by 
(3). 

This  should  serve  to  motivate  the  following  formal  definition,  which  does 
not  mention  global-time  models. 

Definition  S  A  system  execution  S, implements  a  system  execu¬ 
tion  M  --if  Hl-HS  are  satisfied. 

To  relate  this  definition  to  the  preceding  discussion  of  observable  oper¬ 
ation  executions,  we  need  the  following  result.  Its  statement  relies  upon 
the  obvious  fact  that  if  S, — is  a  system  execution,  then  T, — 
is  also  a  system  execution  for  any  subset  T  of  S.  (The  symbols  — *  and 

- *  denote  both  the  relations  on  S  and  their  restrictions  to  T .  Also,  in  the 

proposition,  the  set  T  is  identified  with  the  set  of  all  singleton  sets  {A}  for 
A  6  T.) 

Proposition  5  Let  S  U  T,  — ►, - •  be  a  system  execution,  where  S  and  T 

are  disjoint;  let  S, — *,--•*  be  an  implementation  of  a  system  execution  V , 
and  let  and  ---*  be  the  relations  defined  on  H  U  T  by  (S). 
Then  there  exist  precedence  relations  ^—*  and  -- -  such  that: 

•  ^UT,  -^♦,-w-T-t  it  a  system  execution  that  is  implemented  by  SUT ,  — » 
»---*• 

•  •  )/ T  UT  ff  tl 

•  The  restncttons  of  — ►  and---  to  U  equal—*  and-"-,  respectively. 

•  The  restrictions  of  ^-*  and  ---  to  T  are  extensions  of  the  relations 
—*  and---,  respectively. 
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To  apply  this  proposition  to  our  discussion  of  implementations,  let  S , 

— ►, - *  be  an  execution  of  a  lower-level  system  of  register  reads  and  writes 

implementing  a  higher-level  system  execution  «?/,—♦, - ♦  of  reads  and  writes. 

Let  T  be  the  set  of  all  other  operation  executions  in  the  system,  including 
the  observable  ones.  Proposition  5  means  that,  while  the  precedence  re¬ 
lations  and  -  -  ->  may  imply  new  precedence  relations  on  the  operation 
executions  in  T,  these  relations  (-^»  and  -*--•)  are  consistent  with  the  “real* 
precedence  relations  and  -  on  T. 

Note  that,  when  there  are  global-time  models  for  all  the  system  execu¬ 
tions,  the  *  relations  are  the  same  as  the  original  precedence  relations  on  the 
set  T ,  and  Proposition  4  implies  that  the  HT  relations  can  be  chosen  also  to 
be  the  same  as  the  original  precedence  relations  on  T.  However,  in  general, 
the  relation  — *  may  contain  orderings  that  imply  additional  orderings  on 
the  elements  of  T  beyond  those  contained  in  As  a  simple  example, 
let  A,  B  €  S,  let  S,T  €  T,  let  S  — ♦  A,  B  — »  T  be  the  only  precedence 
relations  among  these  elements,  and  let  H  =  S.  If  A  — *  B,  then  A1  implies 
S  11*  T  even  though  S  —f~*  T. 

When  implementing  a  register,  I  will  ignore  any  operation  executions  not 
involved  in  the  implementation,  and  consider  the  system  execution  compris¬ 
ing  only  the  reads  and  writes  that  implement  the  register.  Proposition  5 
shows  that  the  implementation  cannot  lead  to  any  anomalous  precedence 
relations  among  the  operation  executions  that  are  being  ignored. 

An  implementation  S, — ►  , - *  of  -  ■*  is  said  to  be  trivial  if  every 

element  of  M  is  a  singleton  set.  In  other  words,  a  trivial  implementation 
is  one  in  which  each  higher-level  operation  execution  is  implemented  by 
a  single  lower-level  one.  In  a  trivial  implementation,  the  sets  5  and  H 
are  (essentially)  the  same;  the  two  system  executions  differ  only  in  their 
precedence  relations. 

Proposition  3  implies  that  any  system  execution  trivially  implements 
one  that  satisfies  A#,  which,  by  Proposition  2,  has  a  global-time  model. 
Implementation  is  transitive — if  S, — *, — >  implements  S', — -  -*  which  in 

turn  implements  then  S, — *,--•*  implements  U, — », - •.  When 

implementing  a  higher-level  system,  we  can  therefore  assume  the  lower-level 
system  execution  has  a  global-time  model.  However,  there  is  no  reason  to 
do  so;  a  rigorous  correctness  proof  using  Axioms  A1-A5  will  be  at  least  as 
simple  as  one  based  upon  starting  and  finishing  times,  and  will  be  more 
reliable  than  an  intuitive  one  based  upon  pictures  of  intervals. 


3.3  Register  Axioms 

The  foregoing  discussion  applies  to  any  system  execution.  I  now  consider  sys¬ 
tem  executions  containing  reads  and  writes  to  registers.  In  addition  to  Al- 
A5,  some  axioms  special  to  these  kinds  of  operation  executions  are  needed, 
including  axioms  that  provide  the  formal  definitions  of  safe,  regular,  and 
atomic  registers. 

Axioms  A1-A5  do  not  require  that  there  be  any  precedence  relations 
among  operation  executions.  However,  some  precedence  relation  between  a 
read  and  a  write  to  the  same  register  must  be  assumed.  (Communication 
requires  a  causal  connection  between  reads  and  writes.)  The  following  axiom 
is  assumed;  the  reader  is  referred  to  (5]  (where  it  is  labeled  C3)  for  its 
justification.  Note  that  it  is  implied  by  A#. 

Bl.  For  any  read  R  and  write  W  to  the  same  register,  R - ►  W  or  VF - * 

R  (or  both). 

Each  register  is  assumed  to  have  a  finite  set  of  possible  values— for  ex¬ 
ample,  a  boolean-valued  register  has  the  possible  values  true  and  false.  I 
assume  that  any  read,  whether  or  not  it  overlaps  a  write,  obtains  one  of 
these  values. 

B2.  A  read  of  a  register  obtains  one  of  the  values  that  may  be  written  in 
the  register. 

Thus,  a  read  of  a  Boolean  register  cannot  obtain  a  nonsense  value  like  “tr/se”. 
This  axiom  does  not  assume  that  the  value  obtained  by  a  read  was  ever 
actually  written  in  the  register. 

I  assume  that  a  register  v  is  written  by  only  a  single  writer  and  that 
each  write  precedes  the  next.  Let  V^l,  Vl2I, . . .  denote  the  sequence  of  write 
operations  to  the  register  v,  where 

yHl _ _ yin _ ► . . . 

and  let  denote  the  value  written  by  VM.  (There  may  be  a  finite  or 
infinite  number  of  write  operations  VW.) 

A  register  v  is  assumed  to  have  some  initial  value  vl°l.  It  is  convenient 
to  assume  that  this  value  is  written  by  a  write  vl°l  that  precedes  ( — ►)  all 
other  reads  and  writes  of  v.  Eliminating  this  assumption  changes  none  of 
the  results,  but  it  complicates  the  reasoning  because  a  read  that  precedes 
all  writes  has  to  be  treated  as  a  separate  case. 


Let  R  be  a  read  of  register  v,  and  let 


IR  d4f  {Kl*l 
JR  d4f  {vl*l; 

From  A2  and  the  assumption  that  Vl°l  precedes  all  reads.it  follows  that 
VrI°I  is  in  both  IR  and  JR;  and  from  A2  and  A5  it  follows  that  IR  and  JR 
are  finite.  The  writes  in  JR  are  the  ones  that  could  affect  R.  For  the  sake 
of  the  following  intuitive  discussion,  suppose  that  A#  holds,  so  IR  is  the 
set  of  writes  that  precede  ( — ►)  R.  (The  reader  interested  in  extending 
his  intuition  to  the  general  case  should  substitute  “effectively  precedes*  for 
“precedes* — a  concept  defined  in  (5].)  The  difference  JR  -  IR  of  these  two 
sets  is  the  set  of  writes  concurrent  with  R.  The  read  R  can  observe  “traces* 
of  the  values  written  by  writes  in  JR  —  IR,  and  by  the  last  write  in  IR.  All 
traces  of  earlier  writes  are  assumed  to  vanish  with  the  completion  of  the  last 
write  in  IR,  and  no  write  later  than  the  last  one  in  JR  can  influence  R  in 
any  way. 

I  will  say  that  R  sees  vl,Jl  if  it  can  observe  traces  of  the  writes  Vl*1 
through  VrIJl.  The  formal  definition  is  as  follows: 

Definition  4  A  read  R  of  register  v  is  said  to  see  where: 

max{&  :  R-/-*  V^} 
max{*  :  vM--*  /?} 


•  def 

I  = 

.  def 

3  = 


This  definition  makes  sense  because  »  and  j  are  defined  to  be  the  maxima  of 
finite,  nonempty  sets — A5  and  A2  imply  that  they  are  finite,  and  they  both 
contain  zero.  Also  observe  that  B1  implies  that  i  <  j. 

I  can  now  give  the  formal  definitions  of  safe,  regular,  and  live  registers. 
A  safe  register  is  one  that  obtains  the  correct  value  if  it  is  not  concurrent 
with  any  write.  This  is  the  case  if  it  observes  traces  of  only  a  single  write. 

B3.  (safe)  A  read  that  sees  t/I’’*!  obtains  the  value  t4'1. 

A  regular  register  is  one  that  obtains  a  value  that  it  “could  have*  seen. 

B4.  ( regular )  A  read  that  sees  obtains  a  value  for  some  k  with 


An  atomic  register  satisfies  the  additional  requirement  that  a  read  is  never 
concurrent  with  any  write. 

B5.  (atomic)  If  a  read  sees  then  i  =  j. 

A  safe  register  satisfies  B1-B3,  a  regular  register  satisfies  B1-B4  (note  that 
B4  implies  B3),  and  an  atomic  register  satisfies  B1-B5. 

The  following  two  propositions  state  some  useful  properties  that  are 
simple  consequences  of  Definition  4.  I  introduce  the  notation  of  letting 
stand  for  a  read  that  sees  the  value  Thus,  part  (a)  is  an  abbreviation 

for:  “If  R  is  a  read  that  sees  u  l*’Jl  and  R  — *  VM  then _ ”  (Recall  that 

Vl*l  is  the  kih  write  of  t>.) 

Proposition  6  (a)  If  — ♦  PM  then  j  <  k. 

(b)  IfVW  — *  then  k  <  i. 

(c)  //  t/I'Vfl  — ♦  l  then  j  <  i'  +  1. 

Proposition  7  If  R  is  a  read  that  sees  vM,  then 

(a)  k  <  j  if  and  only  if  VW 

(b)  i  <  k  if  and  only  if  R - >  Vl*+1l. 

In  a  global-time  view,  atomicity  is  usually  defined  to  mean  that  all  op¬ 
erations  are  instantaneous.  In  B5,  it  is  defined  by  the  requirement  that 
a  write  does  not  overlap  a  read.  However,  two  reads  may  overlap,  and  a 
write  could  overlap  some  operation  execution  that  is  not  a  read  or  write  of 
the  register.  It  is  easy  to  see  that,  given  a  global-time  model  for  a  system 
execution  satisfying  B5,  without  violating  conditions  B1-B5,  we  can  shrink 
the  intervals  occupied  by  reads  and  writes  so  that  they  overlap  no  other 
operations.  Thus,  the  original  system  execution  implements  one  in  which 
reads  and  writes  of  the  atomic  register  are  instantaneous. 

For  a  nonatomic  register,  reads  and  writes  cannot  be  made  instanta¬ 
neous.  However,  the  reads  can  be  made  instantaneous. 

Proposition  8  Any  system  execution  S, — »,--■*  having  a  safe  or  regular 
register  v  trivially  implements  a  system  execution  S  -  -  in  which  v  is 
also  safe  or  regular,  such  that  $ has  a  global-time  model  in  which 
every  read  of  v  is  instantaneous. 


Figure  2:  An  interesting  collection  of  reads  and  writes. 

I  have  observed  that  a  regular  register  is  not  necessarily  atomic  because 
two  successive  reads  that  overlap  the  same  write  could  return  the  new  then 
the  old  value.  The  following  result  shows  that  this  is  the  only  way  a  regular 
register  can  fail  to  be  atomic. 

Proposition  9  Let  S, — be  a  system  execution  containing  reads  and 
writes  to  a  regular  register  v,  and  let  <f>  be  an  integer-valued  function  on  the 
set  of  reads  such  that: 

1.  If  R  sees  then  i  <  d>(R)  <  j. 

2.  A  read  R  returns  the  value 

S.  If  R—+  R’  then  d>(R )  <  <*(/?'). 

Then  S, — ►, - •  trivially  implements  a  system  execution  in  which  v  is  an 

atomic  register. 

A  function  <t>  satisfying  the  first  two  properties  exists  if  and  only  if  v  is 
regular.  One  might  be  tempted  to  replace  these  three  properties  with  the 
requirement  that  v  be  regular  and  that  the  following  hold: 

3'  If  t4*dl  — »  then  there  exist  k  and  k'  with  «  <  k  <  j  and 

i'  <  k'  <  j'  such  that  returns  the  value  t;W  and  returns  the 

value 

However,  this  does  not  imply  atomicity.  As  a  counterexample,  let  vl°l  = 
t*(2l  =  0  and  t4‘J  —  1,  let  Ri,  Rz,  Rs  be  the  three  reads  shown  in  Figure  2, 
and  suppose  that  Ri  and  /?j  return  the  value  1  while  Rz  returns  the  value 
0.  The  reader  can  show  that  this  register  is  regular,  but  no  such  <j>  can  be 
constructed;  there  is  no  way  to  interpret  these  reads  and  writes  as  belonging 
to  an  atomic  register  while  maintaining  the  given  orderings  among  the  writes 
and  among  the  reads. 


If  two  reads  cannot  overlap  the  same  write,  then  t4*Jl  — »  implies 

j  <  This  implies  that  any  ^  satisfying  conditions  1  and  2  of  Proposition  9 
also  satisfies  condition  3.  But  such  a  <f>  exists  if  v  is  regular,  so  any  regular 
register  trivially  implements  an  atomic  one  if  two  reads  cannot  overlap  a 
single  write. 

3.4  Systems 

I  have  defined  a  system  execution,  but  not  a  system.  Formally,  a  system  is 
just  a  set  of  system  executions — a  set  that  represents  all  possible  executions 
of  the  system. 

Definition  5  A  system  it  a  set  of  system  executions.  The  system  S  is 
said  to  contain  a  register  v  satisfying  one  or  more  of  the  properties  B1-B5 
if  every  system  execution  in  S  contains  a  sequence  Vi1)  — ►  •••of  writes 
with  associated  values  *4*1, . . .  and  a  set  of  reads  satisfying  the  corresponding 
properties. 

The  usual  method  of  describing  a  system  is  with  a  program  written  in 
some  programming  language.  Each  execution  of  such  a  program  describes  a 
system  execution,  and  the  program  represents  the  system  consisting  of  the 
set  of  all  such  executions.  The  only  operation  executions  that  concern  us 
are  reads  and  writes  of  a  register;  “calculation”  steps  can  be  ignored.  For 
example,  execution  of  the  statement  x  :=  y  V  z  includes  three  operation 
executions:  a  read  of  y,  a  read  of  z,  and  a  write  of  x.  It  does  not  matter 
whether  or  not  the  computation  of  the  V  is  considered  to  be  a  separate  op¬ 
eration  execution.  What  is  significant  is  that  each  of  the  two  reads  precedes 
(— *)  the  write;  no  precedence  relation  is  assumed  between  the  two  reads. 

A  formal  semantics  for  a  programming  language  can  be  given  by  defining, 
for  each  syntactically  correct  program,  the  set  of  all  possible  executions. 
This  is  done  by  recursively  defining  a  succession  of  lower  and  lower  higher- 
level  views,  in  which  each  operation  execution  represents  a  single  execution 
of  a  syntactic  program  unit.2  At  the  highest-level  view,  a  system  execution 
consists  of  a  single  operation  execution  that  represents  an  execution  of  the 
entire  program.  A  view  in  which  an  execution  of  the  statement  S;T  is  a 
single  operation  execution  is  refined  into  one  in  which  an  execution  consists 

2For  nonterminating  programs,  the  formalism  must  be  extended  to  allow  a  nontermi¬ 
nating  higher-level  operation  execution  that  consists  of  an  infinite  set  of  lower-level 
operation  executions. 


of  an  execution  of  S  followed  by  ( — ►)  an  execution  of  T.s  While  this 
kind  of  formal  semantics  may  be  useful  in  studying  subtle  programming 
language  issues,  it  is  unnecessary  for  the  simple  language  constructs  used  in 
the  algorithms  of  this  paper,  so  I  will  just  employ  these  ideas  informally. 

Having  defined  what  a  system  is,  I  should  define  what  it  means  for  one 
system  to  implement  another.  The  definition  is,  of  course,  in  terms  of  the 
definition  of  what  it  means  for  one  system  execution  to  implement  another. 

Definition  6  The  system  S  implements  a  system  H  if  there  is  a  mapping 

i  :  S  H  such  that,  for  every  system  execution  S, — *, - >  in  S,  S, — ►, 

- *  implements  - *). 

Note  that  for  S  to  implement  H,  every  execution  of  S  must  correspond 
to  some  execution  of  H.  The  converse  is  not  required;  I  do  not  insist  that 
every  possible  execution  of  H  have  a  corresponding  implementation.  A 
higher-level  description  H  of  a  system  can  be  viewed  as  a  specification  of 
its  implementation — a  specification  that  describes  all  allowed  behaviors,  but 
does  not  require  any  particular  behavior. 

This  definition  raises  the  question  of  how  we  can  specify  that  the  system 
must  actually  do  anything.  The  specification  of  a  banking  system  must 
allow  a  possible  system  execution  in  which  no  customers  happen  to  use  an 
automatic  teller  machine  on  a  particular  afternoon,  and  it  must  include  the 
possibility  that  a  customer  will  enter  an  invalid  request.  How  can  we  rule 
out  an  implementation  in  which  the  machine  simply  ignores  all  customer 
requests  during  an  afternoon,  or  interprets  any  request  as  an  invalid  one? 

The  answer  lies  in  the  concept  of  an  interface  specification,  discussed  in 
[8],  The  specification  must  explicitly  describe  how  certain  interface  opera¬ 
tions  are  to  be  implemented;  their  implementation  is  not  left  to  the  imple¬ 
mentor.  The  interface  specification  for  the  bank  includes  a  description  of 
what  sequences  of  keystrokes  at  the  teller  machine  constitute  valid  requests, 
and  the  set  of  system  executions  only  includes  ones  in  which  every  valid  re¬ 
quest  is  serviced.  What  it  means  for  someone  to  use  the  machine  is  part  of 
the  interface  specification,  so  the  possibility  of  no  one  using  the  machine  on 
some  afternoon  does  not  allow  the  implementation  to  ignore  someone  who 
does  use  it. 

Since  this  paper  considers  only  the  internal  operations  that  effect  com¬ 
munication  between  processes  within  the  system,  not  the  interface  opera¬ 
tions  that  effect  communication  between  the  system  and  its  environment,  I 

3In  the  genera]  case,  we  must  also  allow  the  possibility  that  an  execution  of  S;  T  consists 
of  a  nonterminating  execution  of  S. 


will  ignore  interface  specifications.  The  interested  reader  is  referred  to  [8] 
for  a  discussion  of  this  subject. 


4  Correctness  Proofs  for  the  Constructions 


4.1  Proof  of  Constructions  1,  2,  and  3 

These  constructions  are  all  simple,  and  the  correctness  proofs  are  essentially 
trivial.  Formal  proofs  add  no  further  insight  into  the  constructions,  but  they 
do  illustrate  how  the  formalism  developed  in  the  preceding  section  is  applied 
to  actual  algorithms.  I  therefore  indicate  all  the  formal  details  in  the  proof 
of  Construction  1.  The  formal  proofs  for  the  other  two  constructions  are 
just  briefly  sketched. 

Recall  that,  in  Construction  1,  the  m-reader  register  v  is  implemented  by 
the  m  single-reader  registers  t/,-.  Formally,  this  construction  defines  a  system, 
which  1  denote  by  S,  that  is  the  set  of  all  system  executions  consisting  of 
reads  and  writes  of  the  v,-  such  that  the  only  operations  to  these  registers  are 
the  ones  indicated  by  the  readers’  and  writer’s  programs.  Thus,  S  consists 
of  all  system  executions  S, — *,--•*  such  that: 


•  S  consists  of  reads  and  writes  of  the  registers  v%. 


•  Each  Vi  is  written  by  the  same  writer  and  is  read  only  by  the  Ith  reader. 

•  For  any  »  and  j:  if  the  write  occurs,  then  the  write  vj^  also  ocurs, 
(*-*! 


and  vj- 


(*] 
vi  • 


The  third  condition  expresses  the  formal  semantics  of  the  writer’s  algorithm, 
asserting  that  a  write  of  t’  is  done  by  writing  all  the  v,-,  and  that  a  write  of 
v  is  completed  before  the  next  one  is  begun. 

To  say  that  the  v,-  are  safe  or  regular  means  that  the  system  S  is  further 
restricted  to  contain  only  system  executions  that  satisfy  B1-B3  or  B1-B4, 
when  each  v,-  is  substituted  for  v  in  those  conditions. 

To  show  that  this  construction  implements  a  register  v,  Definition  6 
states  that  we  must  construct  a  mapping  t  from  S  to  the  system  H,  which 
consists  of  the  set  of  all  system  executions  formed  by  reads  and  writes  to  an 
m-reader  register  v.  To  say  that  v  is  safe  or  regular  means  that  H  contains 
only  system  executions  satisfying  B1-B3  or  B1-B4. 

In  giving  the  readers’  and  writer’s  algorithms,  the  construction  implies 
that,  for  each  system  execution  S, — ►  , - >  of  S,  the  set  t(S)  of  operation 


executions  of  t(S,  — -  -*)  is  the  higher-level  view  of  S, — -  ■*  consisting 
of  all  writes  VW  of  the  form  {V^, . . . , V^},  for  €  $,  and  all  reads  of 
the  form  {/Z,},  where  Ri  6  S  is  a  read  of  v,\  (The  write  Vl*l  exists  in  t(S) 
if  and  only  if  some,  and  hence  all,  vj^  exists.)  Conditions  HI  and  H2  are 
obviously  satisfied,  so  this  is  indeed  a  higher-level  view.  To  complete  the 
mapping  t,  we  must  define  the  precedence  relations  — »  and - >  so  that 

y  y 

t(S,  — ►  , - ')  is  defined  to  be  i($), — ►, — >.  Proving  the  correctness  of  the 

construction  means  showing  that: 

1.  *($),-*,---*  is  a  system  execution — that  is,  it  satisfies  A1-A5. 

2.  S, — ►, - >  implements  t(S),-^->,- - — that  is,  H1-H3  are  satisfied. 

3.  i(S),-^-*,---*  is  in  H — that  is,  B1-B3  or  B1-B4  are  satisfied. 

The  precedence  relations  on  i(S)  are  defined  to  be  the  “real”  ones,  with 
G  H  if  and  only  if  G  really  precedes  H.  Formally,  this  means  that  we  let 
and  -  - -*  be  the  induced  relations  and  defined  by  (3).  Recall 
from  Section  3.2  that  the  induced  precedence  relations  make  any  higher-level 
view  a  system  execution,  so  1  is  satisfied.  I  have  already  observed  that  HI 
and  H2,  which  are  independent  of  the  choice  of  precedence  relations,  are 
satisfied,  and  H3  is  trivially  satisfied  by  the  induced  precedence  relations, 
so  2  holds.  Therefore,  we  need  only  show  that,  if  B1-B3  or  B1-B4  are 
satisfied  for  reads  and  writes  of  each  of  the  registers  in  S, — -  ■*,  then 
they  are  also  satisfied  by  the  register  v  of  t(  S -  ->. 

Property  B1  for  i(S),-^-*,-  -  ■*  follows  easily  from,  (3)  and  property  B1 
for  S, — Property  B2  is  immediate.  The  informal  proof  of  B3  is  as 
follows:  if  a  read  of  v  by  process  i  does  not  overlap  a  write  (in  t( S )),  then 
the  read  of  v,-  does  not  overlap  any  write  of  v,-,  so  it  obtains  the  correct 
value.  A  formal  proof  is  based  upon: 

X.  If  a  read  /2»  in  S, — », - -  sees  then  the  corresponding  read  {ft,} 

in  *  •*  sees  where  k1  <  k  <  l  <  l'. 

The  proof  of  X  is  a  straightforward  application  of  (3)  and  Defintion  4.  Prop¬ 
erty  X  easily  implies  that,  if  B3  or  B4  holds  for  S, — ►, - >,  then  it  holds  for 

t This  completes  the  formal  proof  of  Construction  1. 

The  formal  proof  of  Construction  2  is  quite  similar.  Again,  the  induced 
precedence  relations  are  used  to  turn  a  higher-level  view  into  a  system  execu¬ 
tion.  The  proof  of  Construction  3  is  a  bit  trickier  because  a  write  operation 


to  v *  that  does  not  change  its  value  consists  only  of  the  read  operation  to 
the  internal  variable  x.  This  means  that  the  induced  precedence  relations  do 
not  necessarily  satisfy  Bl;  they  must  be  extended  to  make  Bl  hold.  This  can 
be  done  by  applying  Proposition  3,  though  a  more  “economical*  extension 
can  also  be  constructed. 

4.2  Proof  of  Construction  4 

The  higher-level  system  execution  of  reads  and  writes  to  v  is  defined  to 
have  the  induced  precedence  relations  — and  -  -  As  in  the  above  proofs, 
verifying  that  this  defines  an  implementation  and  that  Bl  holds  is  trivial. 
The  only  problems  are  proving  B2 — namely,  showing  that  the  reader  must 
find  some  v,-  equal  to  one — and  proving  B4  (which  implies  B3). 

I  first  prove  the  following  property: 

Y.  If  a  read  returns  the  value  /i,  then  there  is  some  k  such  that  vl*l  =  p, 
and  the  read  sees  with  I  <  k  <  r. 

If  B2  holds,  then  property  Y  implies  B4. 

Reasoning  about  the  construction  is  complicated  by  the  fact  that  a  write 
of  v  does  not  write  all  the  vy ,  so  the  write  of  vy  that  occurs  during  the  ith 
write  of  v  is  not  necessarily  the  Jtth  write  of  vy.  To  overcome  this  difficulty, 
I  introduce  new  names  for  the  write  operations  to  the  vy.  If  vy  is  written 
during  the  execution  of  Vl*l,  then  I  let  denote  that  write  of  vy;  other¬ 
wise,  is  undefined.  Thus,  every  write  V,j<'  of  vy  is  also  named  W'J '  for 
some  V  >  l.  I  will  say  that  a  read  of  Vy  sees  vrj  ,r '  if  it  sees  vl,,rl  and  the 
writes  M/J(  ^  and  H/jr  ^  are  the  same  writes  as  Vy[/J  and  Vy[r),  respectively. 
Note  that,  because  the  writer’s  algorithm  writes  from  “right  to  left*,  if  ivj*' 
exists,  then  so  do  all  the  with  j  <  i.  In  particular,  exists  for  all  k. 

Let  R  be  a  read  that  returns  the  value  p,  and  let  fi  be  the  Ith  value,  so 
R  consists  of  the  sequence  of  reads  Ri  — ►  •  •  •  — >  Ri,  where  each  Rj  is  a 
read  of  vy.  All  the  Rj  return  the  value  0  except  Ri,  which  returns  the  value 
1.  Let  R  see  vl,,rl  and  let  each  Rj  see  By  regularity  of  vy,  there 

is  some  k(j)  with  /(/)  <  k(j)  <  r(j)  such  that  writes  a  1  and  W,J**',* 

writes  a  0  for  1  <  j  <  i.  Thus,  vW’M  is  the  value  read  by  R,  so  it  suffices  to 
show  that  /  <  k(i)  <  r. 

Definition  4  implies  - •  Ri,  which  by  (3)  implies  vHOl  -  -  -  R, 

which  implies  r(i)  <  r.  Hence,  k(i)  <  r. 


For  any  p  with  p  <  /,  Definition  4  implies  that  R-f->  V>p>,  which  implies 
that  W^\  which  in  turn  implies  that  p  <  1(1).  Hence,  /  <  /( l).4 

Since  l(j)  <  k(j),  it  suffices  to  prove  that  k(j)  <  l(j  +  1)  for  1  <  j  <  i. 

Since  k(j)  <  r(j),  Definition  4  implies  that  - >  Rj.  Because 

^/J*(;)l  Writes  a  zero,  exists,  and  we  have 


U/1*0)I 

"j+i 


wjkM  Rj  Rj+i 


where  the  two  — — *  relations  are  implied  by  the  order  in  which  writing 
and  reading  of  the  individual  vj  are  performed.  By  A4,  this  implies  that 
jyj*(i)l  — ,  Rj+lt  which,  by  A2,  implies  Rj+l  -/-*  By  Definition  4, 

this  implies  that  k(j)  <  l(j  +1),  completing  the  proof  of  property  Y. 

To  complete  the  proof  of  the  construction,  I  must  only  prove  that  every 
read  does  return  a  value.  Let  R  and  the  values  /(/),  k(j),  and  r(j)  be  as 
above,  except  let  i  —  n  and  drop  the  assumption  that  Rj  obtains  the  value 
1.  To  prove  B2,  I  must  prove  that  Rn  does  obtain  the  value  1. 

The  same  argument  used  above  shows  that, if  Rj  obtains  a  zero,  then  that 
zero  was  written  by  some  write  which  implies  that  exists  and 

k(j)  <  l(j  +1).  Since  Rn  obtains  the  value  written  by  it  must 

obtain  a  1  unless  *(n)  =  0  and  the  initial  value  is  not  the  nth  one.  Suppose 
the  initial  value  i>l°l  is  the  pth  value,  encoded  with  vp  =  1,  p  <  n.  Since  Rp 
obtains  the  value  0,  we  must  have  k(p)  >  0,  which  implies  that  k(n)  >  0,  so 
R„  obtains  the  value  1.  This  completes  the  proof  of  the  construction. 


4.3  Proof  of  Construction  5 

This  construction  defines  a  set  M ,  consisting  of  reads  and  writes  of  v*t  that 
is  a  higher-level  view  of  a  system  execution  S, — whose  operation 
executions  are  reads  and  writes  of  the  two  shared  registers  v,  cw  and  cr.  As 
usual,  — *  and  da*  denote  the  induced  precedence  relations  on  S  that  are 
defined  by  (3). 

Let  u  denote  the  shared  register  v,ew  of  the  algorithm.  In  this  con¬ 
struction,  the  write  of  v*,  for  Jfc  >  0,  is  implemented  by  the  sequence 
R  — ♦  U where  R  is  a  read  of  cr  and  l/W  is  the  Ith  write  of 
u.  The  initial  write  V*l°l  of  v *  is  just  the  initial  write  t/l°l  of  u. 

4Nole  that  the  same  argument  doea  not  prove  that  l  <  /(»)  because  does  not 
necessarily  exist. 


T 


Since  there  is  only  one  reader,  the  reads  of  v*  are  totally  ordered  by 
The  Ith  read  S,-  of  consists  of  the  sequence  Ri  — »  C  R$  where  Ri  is  the 
Ith  read  of  u  and  is  the  Ith  write  of  cr.  For  notational  convenience,  I 
assume  an  imaginary  read  Ro  of  u  that  returns  the  value  and  I  define 
So  to  be  the  sequence  of  operations  Ro  — *  The  operation  So  is  taken 

to  be  the  one  that  sets  the  initial  values  of  x'  and  cr'. 

The  proof  of  correctness  is  based  upon  Proposition  9.  Letting  <p{t)  denote 
<p(St),  to  apply  that  proposition,  it  suffices  to  choose  the  ^(<)  such  that  the 
following  three  properties  hold: 

•  Si  returns  the  value 

•  If  S,  sees  then  /  <  ^(i)  <  r. 

•  If  j  <  i  then  ^(j)  <  ^(i). 

I  start  by  defining  a  function  ip  such  that  Ri  returns  the  value  ti^MJ  and, 
if  Ri  sees  then  /  <  ip(i)  <  r.  Since  u  is  regular,  such  a  ip  exists. 
Proposition  6  implies: 

Zl.  If  j  <  i  then  ip(j)  <  ip(i)  -  1. 

By  Proposition  7,  - »  Ri  --■*  f/l^W+>l.  Suppose  ^>(i)  =  24. 

Since  V I2*l  is  part  of  f/I2*+,l  is  part  of  and  Ri  is  part  of 

Si,  this  implies  V**  -  -  •*  S{  --•*  V*^*+1*.  Hence,  property  2  is  satisfied  if 
4>(i)  =  k.  Next,  suppose  tbit  ip(i)  =  24-1,  where  4  >  0.  Since  Vl2*~‘l 
is  part  of  we  have  V*-*l  --•*  Si  V*W  —*  so  property  2 

is  satisfied  if  0(i)  =  4-1.  But  we  also  have  V’W  -  -  -*  Ri,  so 

property  2  is  also  satisfied  if  ^(»)  =  4-1.  To  summarize,  property  2  is 
satisfied  by  t  if  the  following  holds: 

Z2.  (a)  If  ip(i)  =  24  then  ^(»)  =  4. 

(b)  If  i>(i)  =  24-1  then  0(i)  =  4  or  <P(i)  =  4-1, 

The  second  statement  in  the  algorithm  of  Figure  1  consists  of  nested 
If  statements,  so  executing  it  executes  exactly  one  innermost  then  or  else 
clause  '  will  use  a  sequence  of  t  (for  then)  and  e  (for  else)  characters 
to  de.  .e  such  an  innermost  clause;  for  example,  tee  denotes  the  second 
innermost  else  clause,  which  is  executed  if  xx  ft  zj  and  xfx  =  xf2  =  x 2. 

Let  a  ttt-read  be  one  that  executes  the  ttt  clause  of  the  reader’s  algo¬ 
rithm,  and  let  a  nice  read  be  one  that  is  not  a  ttt-read.  The  initial  read  So 
is  defined  to  be  nice.  For  any  1  >  0,  let  n(i)  denote  the  largest  integer  such 


that  ff(s)  <  I  and  St^  is  nice.  In  other  words,  S„(,)  is  the  last  nice  read 
before  5,-.  A  ttt-read  does  not  change  the  value  of  rtn,  x\  or  cr1.  Therefore, 
when  the  execution  of  $,•  begins,  rtn  has  the  value  returned  by  Sx(,j  and 
x',cr'  has  the  value  uW'M)l  read  by 

I  first  define  <f>(i)  inductively  for  all  nice  reads,  starting  with  ^(0)  =  0. 
The  definition  will  be  made  so  that  Z2  holds  for  all  «.  Let  t  be  a  nice  read, 
<  >  0,  and  assume  that  properties  1-3  and  Z2  hold  with  jr(t')  substituted  for  i. 
In  the  following  discussion,  I  will  refer  to  the  values  of  variables  immediately 
after  the  execution  of  the  first  statement  in  the  reader’s  algorithm  during 
the  operation  execution  S,-.  Thus,  x,er  is  the  value  read  by  rtn 

is  the  value  u’W*!’)))  returned  by  ,  and  x',cr'  is  the  value  olV’ftrf.))]  read 
by  R, r(,-). 

Consider  first  the  case  ^>(i)  *=24  —  1.  In  this  case,  x\  =  and 

x2  =  v*M.  If  x\  ^  x2,  then  properties  1  and  Z2  are  satisfied  only  by 
defining  <f>(i)  to  equal  4  -  1  if  5,  returns  the  value  ii  and  to  equal  k  if  S,- 
returns  the  value  x2.  In  other  words,  ^(i)  equals  k  if  5,-  executes  the  tet 
clause  and  equals  4-1  otherwise.  Since  Z2  is  satisfied,  property  2  holds. 

To  prove  property  3  for  i,  it  suffices  to  prove  that  <  <t>(i),  since 

property  3  is  assumed  to  hold  for  jr(t).  Property  Zl  implies  that  ip(<t>{i))  < 
24,  so  Z2  implies  that  $(ir(i))  can  be  greater  than  0(t)  only  in  two  cases: 
(i)  i'(n(i))  =  24  and  4(i)  =  4  -  1 ,  or  (ii)  V*(*(t))  *24-1,  ^(jt(«))  =  4,  and 
<l>(i)  =  4-1.  But  ))  =  24  implies  that  x\  =  x2  =  x2,  so  5,-  executes  the 
tet  clause  and  =  4.  Hence,  case  (i)  is  impossible.  If  tl>(jr(»))  =  24  —  1 
and  ^(«)  =  4,  then  x1  =  x  and  S^(,j  executes  the  tet  clause,  so  rtn1  =  x'2. 
Hence,  5,-  must  also  execute  the  tet  clause,  so  <j>(i)  =  4,  showing  that  case  (ii) 
is  impossible.  This  completes  the  case  V’(i)  =  24-1  and  Xj  ^  x2. 

If  V’(«)  =  24-1  and  xt  =  x2,  then  I  define  <fr(i)  to  be  the  maximum 
of  4  -  1  and  0(a(i)).  Zl  and  Z2  (for  »(«))  imply  that  ^(tr(i))  <  4,  so  this 
defines  to  equal  either  4  -  I  or  4.  At  this  point,  I  note  the  following 
property  for  later  use: 

Z3.  If  V’(»)  =  24  —  1,  X|  =  x2,  and  ^(i)  =  4,  then  there  is  a  nice  read  Rj 
with  j  <  i  such  that  *h(j)  =  24. 

The  proof  of  Z3  is  by  induction  on  i.  The  hypothesis  Zl,  and  Z2  imply  that 
either  *'’(*(<))  =  24,  in  which  case  we  can  let  j  =  »(*),  or  else  il’(n(i))  = 
24-1  and  0(a(t))  =  4,  in  which  case  we  apply  Z3  with  n(t)  substituted  for 
«. 

Returning  to  the  definition  of  ^(i),  in  the  case  under  consideration 
(V’(»)  =  24-1  and  xi  =  x2),  properties  I,  2,  and  Z2  are  satisfied  because 
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equals  either  4  —  1  or  4.  Moreover,  we  obviously  have  <f>(n(i))  < 
so  property  3  is  also  satisfied.  This  completes  the  case  ^(«)  =  2k  -  1  and 
xi  jt  x2. 

Finally,  I  consider  the  case  ip(i)  =  2 k,  where  0(t)  must  be  defined  to 
equal  k  to  satisfy  Z2.  In  this  case,  X\  =  x2  =  w*l*l  and  Si  executes  the 
tte  clause,  returning  the  value  zt.  (Since  5,-  is  assumed  to  be  nice,  it  does 
not  execute  the  ttt  clause.)  Hence,  property  1  is  satisfied.  Since  Z2  holds, 
property  2  is  satisfied.  To  prove  property  3  for  i,  it  suffices  to  show  that 
is  <H*)>  since  the  property  holds  for  7(1).  By  Zl,  tfr(*(*))  <  24  +  1,  so 
^(7(1))  can  be  greater  than  <f>(i)  only  if  ^(jr(i))  =  24  +  1  and  ^(7(1))  =  4  +  1. 
There  are  two  possibilities  to  consider:  (i)  x\  ^  x'2  and  (ii)  x\  =  x2.  In 
case  (i),  <S( 7r («"))  can  equal  4  +  1  only  if  Sr (,•)  executes  the  tet  clause,  which 
implies  that  x\  /  x2  and  rtn  —  x2;  but  this  is  impossible  since  5,-  executes 
the  tte  clause.  In  case  (ii),  Z3  implies  that,  if  ^(7(1))  =  4  +  1,  then  there 
exists  j  <  ir(i)  with  ^>(j)  =  24  +  2.  But  Zl  implies  that  this  is  impossible, 
since  j  <  i  and  ^(0  =  24.  Hence,  property  3  holds.  This  completes  the 
construction  of  <p(i)  for  all  nice  reads  S,-. 

To  complete  the  definition  of  if  S,-  is  a  ttt-read,  I  define  ^(i)  to  equal 
^(?r(»)).  Since  S;  returns  the  same  value  as  £*(,),  property  1  is  satisfied. 
Property  3  obviously  holds,  since  it  holds  for  nice  reads  and  0  assigns  to 
every  ttt-read  the  same  value  as  it  assigns  the  most  recent  nice  read.  The 
only  thing  left  to  prove  is  that  property  2  holds  for  a  ttt-read  5,-.  This  is 
perhaps  the  most  subtle  proof  of  the  entire  paper.  It  involves  proving  the 
remark  made  earlier,  that,  if  a  sequence  of  reads  obtains  the  values  (//,/*), 
(i/,p),  and  (i/,f),  all  of  the  same  color,  then  the  last  read  overlaps  the  write 

of  (*',/*)• 

Let  Si  be  a  ttt-read,  and  let  (/i,/i),c  be  the  value  uW'N  read  by  Since 
Si  executes  the  ttt  clause,  x',  cr\  which  is  the  value  read  by  /?*(,•), 

must  equal  for  some  v  /  p,  so  ^(7(1))  is  odd.  Let  ^(7(1))  =  24-1. 

Since  Si  executes  the  ttt  clause,  S,(,j  must  return  p,  so  it  must  execute  the 
tet  clause.  This  implies  that  ^(7(1))  =  4,  so  0(i)  =  4,  and  that  the  value  of 
cw  read  by  the  operation  execution  S,. (,)_i  must  also  equal  c,  so 
writes  the  value  c.  The  following  operation  executions  must  therefore  be 
performed  in  sequence  by  the  reader  (each  one  — >’s  the  next,  but  the 
reader  may  perform  other,  intervening  operation  executions): 

•  CRW-'h  writes  cr[7(«)  -  1]  =  c 

•  Rr[i):  reads  ul2*_1l  =  {v,p)tc 


•  R,-:  reads  =  (v,v),c 

•  CR  1*1:  writes  cM  =  c 

Moreover,  the  reads  between  5»(0  and  Si  also  write  the  value  c  in  cr. 
Therefore,  cr^  =  c  for  all  j  with  jt(»)  —  1  <  j  <  i.  Note  also  that 
<t>{ *')  =  ^(»(0)  -  k-l. 

It  follows  from  Z1  that  >  2k— 2.  If  ^(0  =  2k— 2,  then  Proposition  7 

implies  that  72,- - *  U l2*-,l.  However,  that  proposition  also  implies  that 

£/[ 2*-1l - *  Rr(i)-  Since  U I2*-2!  — ♦  f/I2i-1l  and  Rr(i)  — "  jRi,  we  see  that 

f/l2*-2]  — *  Ri--*  f/l2*-1l.  This  implies  V’l*"1!  -i-,  5,-  ---»  V*W.  Since 
«£(»)  =  Jt  —  1,  property  2  follows  from  Proposition  7. 

I  have  shown  that  V’(0  >2k  —  2  and  property  2  holds  if  ^(»)  =  2k  —  2. 
To  finish  the  proof,  I  now  show  that  ^>(t)  =  2ifc  -  2  by  assuming  V’(»)  > 
2k  -2  and  obtaining  a  contradiction.  Since  ut2*-1l  equals  (i/,n),c  and  t/l2*l 
equals  (/i,/i),  neither  of  which  equals  (because  p  ^  v),  we  must  have 

i’(i)  >  2k.  Let  crl/,,l  denote  the  read  of  cr  in  the  write  of  v*  of  which  f/W'M 
is  a  part.  Since  C/IV’(*)J  sets  cw  to  c,  the  read  crl*,f)  must  obtain  the  value 
-i c.  The  writer  must  therefore  perform  the  following  sequence  of  operation 
executions,  where  each  — *’s  the  next.  (There  may  be  other,  intervening 
operation  executions.) 

•  writes  ul2*J  =  (n,fi),c 

•  crl1,rl:  reads  the  value  -ic 

•  J/hM»)l;  writes  uM*)l  =  (i/,v),c 

By  Proposition  7  (and  the  definition  of  ifr),  Rr{i) - *  .  We  therefore 

have 

CAW*')-!)  — *  Rr{{)  C/t2*l  — -  crf'-rl 

so  — ♦  cr^,rI.  By  part  (b)  of  Proposition  6,  this  implies  n(i)~  1  < 

/. 

Proposition  7  implies  l/W’M - *  Ri,  so 

cr 'I1,  r)  _  tfWOJ  -  -  *  Ri  CR® 

This  implies  crl,,rl  — *  C/jM,  so  part  (a)  of  Proposition  6  implies  r  <  «.  We 
therefore  have  i>(i)  -  1  <  /  <  r  <  «,  so  regularity  of  cr  implies  that  crl,,rl 
obtains  a  value  cr M  with  ip(i)  —  1  <  j  <  ».  However,  I  already  observed  that 
all  such  values  equal  c,  and  crlf,,l  obtains  the  value  ->e.  This  is  the  required 
contradiction,  completing  the  proof. 


5  Conclusion 


I  have  defined  three  classes  of  shared  registers  for  asynchronous  interprocess 
communication  and  provided  algorithms  for  implementing  one  class  in  terms 
of  a  weaker  class.  For  single-writer  registers,  the  only  unsolved  problem  is 
implementing  a  multireader  atomic  register.  A  solution  probably  exists, 
but  it  undoubtedly  requires  that  a  reader  communicate  with  all  other  read¬ 
ers  as  well  as  with  the  writer.  Also,  more  efficient  implementations  than 
Constructions  4  and  5  probably  exist.  For  multivalued  registers,  Peterson’s 
algorithm  [11]  combined  with  Construction  5  provides  a  more  efficient  im¬ 
plementation  of  a  regular  register  than  Construction  4,  and  a  more  efficient 
implementation  of  a  single-reader  atomic  register  than  Construction  5.  How¬ 
ever,  in  this  solution,  Construction  4  is  still  needed  to  implement  the  regular 
register  used  in  Construction  5. 

1  have  not  addressed  the  question  of  multiwriter  shared  registers.  It  is 
not  clear  what  assumptions  one  should  make  about  the  effect  of  overlapping 
writes.  The  one  case  that  is  straightforward  is  that  of  an  atomic  multiwriter 
register — the  kind  of  register  traditionally  assumed  in  shared-variable  con¬ 
current  programs.  This  raises  the  problem  of  implementing  a  multiwriter 
atomic  register  from  single-writer  ones.  An  unpublished  algorithm  of  Bard 
Bloom  implements  a  two-writer  atomic  register  using  single-writer  atomic 
registers. 

In  addition  to  studying  shared  registers,  I  have  also  developed  a  formal¬ 
ism  for  reasoning  about  concurrent  systems  that  is  not  based  upon  atomic 
actions.  Starting  from  a  more  general,  relativistic  viewpoint,  I  showed  that 
one  can,  with  no  essential  loss  of  generality,  think  in  terms  of  starting  and 
finishing  times  of  operations.  While  starting  and  finishing  times  are  intu¬ 
itively  more  appealing,  and  can  be  useful  in  proving  metatheorems  about 
general  systems,  rigorous  reasoning  about  specific  algorithms  is  best  done  in 
the  general  formalism,  using  Axioms  AI-A5.  These  axioms  seem  to  contain 
the  fundamental  properties  of  temporal  relations  among  operation  execu¬ 
tions  that  are  needed  to  analyze  concurrent  algorithms. 
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Appendix 

Proof  of  Proposition  1 

It  follows  from  (1)  that,  for  any  operation  execution  A  in  S,  the  relations 

— ♦  and - *  are  not  changed  by  either  of  the  following  two  changes  to  the 

global-time  model,  where  6  >  0: 

1.  Changing  sA  to  sA  -  6  if,  for  all  B  e  S:  fB  <  »a  implies  fB  <  sA  -  6. 

2.  Changing  fA  to  fA  +  6  if,  for  all  B  €  S:  fA  <  sB  implies  fA  +  6  <  sA. 

Let  T  denote  the  set  of  numbers  sA  and  fA  for  all  A  in  S ,  and  for  any  real 
t,  let  S(t)  =  {r  6  T  :  r  <  t}  and  F(t)  =  (r  €  T  :  r  >  <}.  M2  implies  that 
for  any  t,  maxS(<)  <  t  and  t  <  min  F(t). 

For  any  A,  if  sA  equals  sB  or  fB  for  some  B  /  A,  ]  can  change  sA  to 
sA  -  6,  where  0  <  6  <  t  is  chosen  so  that  sA  -  6  >  maxS(s,t).  Similarly, 
if  fA  equals  sB  or  fB  for  some  B  £  A,  I  can  change  fA  to  fA  +  6,  where 
0  <  6  <  {  and  fA  +  6  <  min  F(sA). 

The  details  of  the  formal  proof,  which  involves  an  inductive  definition  of 
s'  and  /'  based  upon  the  countability  of  S,  is  left  to  the  reader. 

Proof  of  Propositions  2  and  3 

The  “only  if”  part  of  Proposition  2  follows  immediately  from  (1).  To  prove 
Proposition  3  and  the  “if”  part  of  Proposition  2,  1  prove  that,  for  every 

system  execution  S, — ►, - *,  there  exists  a  global-time  model  s,f  such  that 

for  every  A,  B  G  S : 

•  A  — ►  B  implies  fA  <  sB 

•  A--  •>  B  implies  <  fB 

The  relations  —*  and  -  -  -•  defined  by  this  global-time  model  satisfy  the 
requirements  of  Proposition  3.  Moreover,  if  S, — satisfies  A#,  then 
---*  must  equal - »,  since  if  A#  holds  then  A  -  / -*  B  implies  B  — *  A, 

i  ' 

which  implies  B  — ►  A,  so  A  -  /  -•  B,  and  A  -f-+  B  implies  B - •  A,  which 

implies  B  -  -  ■*  A,  so  A  -/->  B. 

The  following  proposition  is  used  in  this  proof  and  in  a  later  one. 
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Proposition  10  Let  T  he  the  set  consisting  of  all  elements  of  the  form  sa 
and  fA  for  A  €  S  (the  elements  of  T  are  uninterpreted  symbols,  not  nec¬ 
essarily  real  numbers),  and  let  ■<  be  the  smallest  transitively  closed  relation 
such  that 

•  If  A  — ♦  B  then  fA~<sB- 

•  If  A - >  B  or  A  =  B  then  Sa  <  fB- 

Then  <  is  an  irrefiezive  partial  ordering. 

Proof  -.  Define  the  relations  — and  — *  on  T  as  follows: 

•  For  all  A:  sa  fA- 

•  fA  sb  if  and  only  if  A  — ►  B. 

•  fs  if  and  only  if  >4 - •  B. 

Let  — ♦  be  the  union  of  the  three  relations  and  so  -<  is  the 

transitive  closure  of  — ►  .  It  suffices  to  prove  that  — ►  is  an  acyclic  relation. 

The  proof  is  by  contradiction.  Choose  a  shortest  cycle  formed  by  the  — ♦ 
relation.  A  cycle  composed  entirely  of  and  relations  would  violate 
Al,  so  the  cycle  must  contain  a  portion  of  the  form: 

,  f  d  t  • 

fA  - -  »B  - *  fc  - *  SD 

since  — is  the  only  relation  from  an  /  to  an  s  and  there  are  no  s  to  s  or  / 
to  /  relations.  I  can  apply  A4  to  deduce  that  ap,  which  contradicts 

our  assumption  that  the  cycle  had  minimal  length,  proving  Proposition  10. 1 

Returning  to  the  proof  of  Propositions  2  and  3,  we  see  that  -<  is  an 
irreflexive  acyclic  relation.  Moreover,  A5  implies  that,  for  any  t  G  T ,  t  <  s 
for  all  but  a  finite  number  of  elements  a.  This,  together  with  the  countability 
of  T,  implies  that  -<  can  be  completed  to  a  total  ordering  <  such  that 
there  is  an  order-preserving  isomorphism  of  T  with  a  subset  of  the  natural 
numbers.  Identifying  the  elements  of  T  with  the  corresponding  natural 
numbers  provides  the  desired  global-time  model. 

Proof  of  Proposition  4 

Let  T  be  the  set  of  all  numbers  sa  and  fA  for  A  €  S,  and  let  -<  be  the  partial 
ordering  on  T  defined  as  in  Proposition  10  for  the  precedence  relations  — * 
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and - >,  namely,  the  smallest  partial  order  such  that  A  — •  B  implies 

fA  -<  sB,  and  A  B  or  A  =  B  implies  sA  <  fB  Observe  that  the 
following  hold  for  all  A  and  B  in  S : 

(a)  Either  sA  ■<  fB  or  fB  <  »a  (by  A#). 

(b)  fA  <  sB  implies  fA  -<  aB  (by  H3). 

To  prove  the  proposition,  it  suffices  to  construct  s'.f  such  that'  s  <  s'  < 
/'  <  /  and  for  all  A  and  B.  fA  <  sB  implies  f\  <  s'B  and  sA  ■<  fB  implies 

<Ib 

Let  s',f  be  any  global  model  satisfying 

f'A  <  s'B  implies  fA  <  sB  (5) 

The  pair  of  operation  executions  A,  B  is  said  to  be  out  of  order  for  s',  f 
if  f A  <  sB  and  s'B  <  f\.  It  follows  from  (a)  and  (b)  that,  if  there  are  no 
out-of-order  pairs,  then  a',/'  satisfies  the  conditions  of  the  proposition. 

1  will  construct  s',/'  inductively  by  constructing  a  sequence  of  nonde¬ 
generate  models  s’,  f*  with  a*  <  a*+1  <  /*+I  <  /’  having  s°,  f°  equal  to  s,  / 
and  s',  /'  equal  to  their  limit.  This  is  done  by  first  choosing  the  enumera¬ 
tion  of  all  out-of-order  pairs  of  a,  /  such  that,  for  any  subset  of  them,  the 
minimal  element  is  the  one  A ,  B  having  the  smallest  value  of  fA  and,  among 
all  such  pairs  A,  B\  the  one  having  the  largest  value  of  sB.  It  follows  from 
M2  that  such  a  minimal  element  exists  for  any  nonempty  set,  so  this  defines 
an  enumeration  of  the  out-of-order  pairs  of  s,/. 

If  A,  B  is  the  Ith  out-of-order  pair,  then  s’,  /*  will  be  defined  to  be  the 
same  as  s,-1,/*~1  except  that  s^"1  <  f\  <  s*B  <  PAl.  This  implies  that 
the  set  of  out-of-order  pairs  for  s’,  /*  equals  the  set  of  out-of-order  pairs  for 
sx-i  fi-\  mjnus  tjje  pajr  g  Moreover,  it  follows  from  A5  and  (b)  that 
any  operation  execution  belongs  to  only  a  finite  number  of  out-of-order  pairs 
of  a,/,  so  the  limit  a',/'  of  the  models  a1,/'  exists,  satisfies  (5),  and  has  no 
out-of-order  pairs,  proving  the  proposition. 

For  notational  convenience,  the  construction  of  a*,/*  from  a*-1,/*-1  is 
given  for  the  case  i  =  0.  So,  I  assume  that  a,  /  satisfies  (b),  which  is  the 
same  as  (5),  and  has  a  minimal  out-of-order  pair  A,  B.  I  construct  a1,/1 
by  decreasing  fA  and  increasing  sB  to  get  f\<sB,  without  creating  any 
new  out-of-order  pairs.  (The  construction  for  any  «  is  the  same  except  with 
more  superscripts.) 


Let  X  be  the  operation  execution  with  the  largest  value  of  such  that 
sx  ~<  A;  if  there  is  no  such  X,  let  ax  —  -oo.  It  follows  from  (b)  and  the 
nondegeneracy  of  a,f  that  $x  <  Sa-  Observe  that  there  is  no  C  with  sc 
in  the  interval  (max($Xi  *fl)i  A]<  since,  by  choice  of  sx,  this  would  imply 
/a  -<  «x>  which  would  contradict  the  maximality  of  sb ■  Therefore,  if  1 
define  to  be  max(sx>*B)+i  then  a,/1  satisfies  (5)  and  has  the  same  set 
of  out-of-order  pairs  as  a,  /,  where  f+  denotes  a  value  larger  than  t  such  that 
there  is  no  value  sc  or  fc  in  the  interval  (t,t+). 

If  as  >  ax,  so  f\  =  Sg,  then  I  can  define  a^  to  be  (f\)+  and  it  is  clear 
that  a1,/1  also  satisfies  (5)  and  has  the  same  set  of  out-of-order  points  as 
a,/1  except  that  A,  B  is  not  out  of  order  for  a1,/1,  so  we  are  done. 

Therefore,  I  need  only  consider  the  case  sb  <  ax-  (Since  ax  -<  fA,  we 
must  have  sb  /  ax-)  I  claim  that  there  is  no  fc  in  the  interval  [sb,sx].  If 
there  were,  then  (a)  and  (b)  imply  that  fc  <  ax  and  sb  <  fc,  which,  since 
ax  <  fA,  would  imply  sb  <  fA,  contrary  to  the  assumption  that  A,  B  is 
out  of  order  for  a,  /.  Therefore,  defining  a  5  to  be  the  same  as  a  except  with 
sb  —  «X’  we  see  that  a  5,  /*  satisfies  (5)  and  has  the  same  set  of  out-of-order 
pairs  as  a,/1.  Replacing  a  by  a8  and  starting  our  argument  again,  we  are 
in  the  case  s£  <  Sg  that  was  considered  above.  This  completes  the  proof. 

Proof  of  Proposition  5 

If  — *  and - •  are  any  relations  in  a  set  S,  let  the  completion  of  — *  and 

- >  be  the  relations  — ►  and  -  -  -*,  where  —*  is  the  smallest  transitively 

closed  extension  of  — *  such  that  A  — -*  B - *  C  — -*  D  implies  A  -A  D, 

and  -  -  -•  is  the  union  of - *  and  -A.  Thus,  A  B  if  and  only  if  there 

exists  a  chain 

A  =  At=>  •••==►  An=  B 

where  =>  denotes  either  — ►  or  — ►  C - >  D  — *  for  some  C  and  D. 

Proposition  11  If  — ♦  satisfies  A5;  -  -•  is  the  completion  of  — ♦ 

, - >;  and  — *  is  acyclic;  then  S, — is  a  system  execution. 

Proof  :  I  must  show  that  S satisfies  A1-A5.  The  only  nonob- 
vious  part  is,  in  the  proof  of  A2,  showing  that,  if  A  -A  B,  then  B  -/-•  A. 
However,  as  observed  above,  this  follows  from  A1  and  A4. 1 

To  prove  Proposition  5,  let  — ♦  be  the  union  of  the  relations  and 
and  let  -  -  -*  be  the  union  of---*  and  the  restriction  of  —*  to  T .  Note 
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to  be 


that  the  restriction  of  to  U  equals  — »  (by  H3).  I  define  — -  -* 
the  completion  of  -2-»,  -  - 

I  claim  that,  to  prove  Proposition  5,  it  suffices  to  show  that  — *  is  acyclic 

vt  y  y 

and  the  restrictions  of  — ♦  and - ♦  to  equal  — *  and  -  -  Proposition  11 

then  implies  that  )/UT  ’■*  is  a  system  execution,  which  is  easily  seen 

to  be  implemented  by  S  U  T, — (The  definition  of  and  --  im¬ 
plies  that  their  restrictions  to  T  are  extensions  of  and  -  -  -*.) 

Moreover,  I  claim  that  it  suffices  to  prove  that  the  restriction  of  — *  to  U 
equals  It  follows  immediately  from  the  definition  of  -u-+  and  A2  that, 
if  the  restriction  of  equals  then  the  restriction  of  -V-T- -*  to  M  must 
equal  -  -  Furthermore,  the  definition  of  the  completion  and  the  acyclicity 
of  — *  imply  that,  any  cycle  of  — *  relations  must  include  an  element  of  M, 

so  A  A  must  hold  for  some  A  €  M.  If  the  restriction  of  to  M  equals 
y  ht  y 

— ►,  then  the  acyclicity  of  — ♦  follows  from  the  acyclicity  of  — ►  .  Thus,  it 

•  y  t  y 

suffices  to  prove  that,  if  A  — ►  5,  then  A  — ►  B. 

By  definition  of  if  A  B  then  there  exists  a  chain  A  —  A\  => 
=>  A„  =  B,  where  =>  denotes  either  -2-*  or  C  -  -•*  D 
Note  that,  f  A,  and  A,+i  are  both  in  M,  then  A,-  =*■  A.+j  implies  that 
Ai  A,+i ,  and,  if  they  are  both  in  T,  then  A,-  =>  A,+i  implies  that 
Ai  —>  A,+i .  Therefore,  it  suffices  to  show  that  any  such  chain  that  is  of 
minimal  length  has  length  one. 

If  three  consecutive  elements  Ai,  A,+i,  and  A,+ z  in  this  chain  are  either 
all  in  H  or  all  in  T,  by  the  transitivity  of  — ►  and  — *  it  follows  that 
Ai  =>  Ai+!.  Therefore,  in  a  minimal-length  chain,  Ai  must  be  in  H  if  1  is 
odd  and  in  T  if «  is  even.  If  n  >  0,  then  we  have  A\  =>  Ai  ==>  A*,  with 
Ai  and  As  in  M  and  Az  in  T .  A  relation  between  an  element  of  M  and 
an  element  of  T  must  be  a  relation.  Considering  the  two  possible  cases 
for  each  =>•  relation,  using  AI  and  A4  for  the  relations  and  -  -  -*,  it 
follows  from  At  =>  Az  ==>  As  that  Ai  Az  —>  As,  so  A\  =>  As.  This 
contradicts  the  assumption  of  the  minimality  of  n,  proving  that  n  =  1  and 

y 

A  — *  B,  which  completes  the  proof  of  the  proposition. 

Proof  of  Propositions  6  and  7 

Parts  (a)  and  (b)  of  Proposition  6  are  an  immediate  consequence  of  Defini¬ 
tion  4.  To  prove  part  (c),  observe  that  this  definition  implies  VM  — *  vl'**!. 


The  result  is  immediate  if  j  =  0.  If  j  >  0,  then  - 

these  two  relations  with  the  hypothesis,  we  have 

V'b'-1)  — „  yU) _ ,  „M  — ,  W!‘VJ 


Combining 


Axiom  A4  implies  that  which,  by  A2,  implies  til** ■•'’I  -  / 

V'IJ-1I.  This  finishes  the  proof  of  Proposition  6. 

To  prove  part  (a)  of  Proposition  7,  observe  that  it  follows  immediately 
from  Definition  4  that  V'l*l  --■*  R  implies  k  <  j.  Conversely,  I  assume  k  <  j 

and  show  this  implies  VM - -  R.  Since  vW - >  R,  the  desired  conclusion 

is  immediate  if  it  =  j.  If  k  <  j,  then  Vl*l  — •  VW,  and  it  follows  from  A3. 

For  part  (b),  Definition  7  implies  that,  if  t  <  k\  then  R - > 

Letting  k'  —  k  +  1,  this  shows  that,  if »  <  k,  then  R  -  -  -  Conversely, 

suppose  R - •  then  k  +  1  /  «.  If  k  +  1  <  «,  then  Vlt+1l  — ♦  VM,  so 

A3  would  imply  R--->  VM  contrary  to  Definition  4.  Hence,  we  must  have 
i  <  it  +  1  so  i  <  it,  completing  the  proof  of  Proposition  7. 

Proof  of  Propositions  8  and  9 

Apply  Proposition  3  to  extend  the  given  — ►  and - *  relations  so  they  satisfy 

A#.  It  follows  from  B1  that  this  extension  does  not  add  any  new  precedence 
relations  between  reads  and  writes.  A  read  sees  as  defined  by  these  new 
relations,  if  and  only  if  it  sees  in  the  original  system  execution.  Hence, 
the  new  system  execution,  which  satisfies  A#,  satisfies  the  hypotheses  of  the 
appropriate  proposition.  Applying  Proposition  2,  I  can  therefore  assume  a 
nondegenerate  global-time  model  for  the  system  execution. 

For  the  proof  of  Proposition  9,  let  <f>  be  the  assumed  function.  For  the 
proof  of  Proposition  8,  <t>  is  defined  as  follows.  If  R  is  a  read  that  sees 
for  a  safe  register  define  <t>(R)  to  equal  j,  and  for  a  regular  register  define  it 
to  be  a  value  satisfying  conditions  1  and  2  in  the  hypothesis  of  Proposition  9. 
(B4  implies  that  such  a  definition  is  possible.) 

I  first  show  that  S, — -  •*  (which  I  am  assuming  to  have  a  nondegen¬ 
erate  global-time  model)  trivially  implements  a  system  execution  in  which 
reads  are  instantaneous,  which  is  all  that  is  required  to  prove  Proposition  8. 
Given  the  nondegenerate  global-time  model  s,  f  for  S, — it  suffices  to 
find  a  global-time  model  s',  f  with  a  <  s'  <  /'  <  /  in  which  all  reads  are 
instantaneous,  such  that  BI-B4  hold  for  the  system  execution  defined  by 

For  notational  convenience,  let  «,•  and  /,•  denote  «V[,j  and  respec¬ 
tively.  Let  s',  f  be  the  same  as  s,  /  except  that,  for  a  read  R,  define  a'R  to 


equal  the  maximum  of  the  following  three  quantities: 


•  (a*(R))+ 

•  max{sfl<  :  <f>(R')  <  <!>(R)  and  sr>  <  /r}+ 

and  define  /) j  to  equal  (s'R)+.  When  the  appropriate  careful  definition  of  t+ 
is  given,  this  results  in  a  nondegenerate  globahtime  model  in  which  every 
read  is  instantaneous.  I  must  check  that,  for  any  read  R:  sR  <  s'R  <  fR  < 
fa,  B1-B3  remain  satisfied,  and  B4  remains  satisfies  when  v  is  regular. 

It  is  immediate  by  the  definition  of  s'R  that  sr  <  s'R.  Since  f'R  =  (s,w)+, 
to  establish  the  remaining  inequalities  I  need  to  show  that  fR  <  /r.  If  A 
sees  then,  by  Definition  4,  sj  <  /r  (the  strict  inequality  comes  from 
nondegeneracy),  and,  since  <f>(R)  <  j,  s+(r)  <  Jr-  The  required  inequality 
now  follows  easily  from  the  definition  of  s'R. 

I  must  now  show  that  B1-B3  and,  if  v  is  regular,  B4  hold  for  the  new 
precedence  relations.  B1  and  B2  are  trivial.  For  B3  and  B4,  consider  what 
a  read  sees  in  the  new  system  execution  if  it  sees  in  the  original  one. 
There  are  three  cases: 

1-  If  h(R)  <  then 

(a)  if  sr  <  3^(fl)+i  then  R  sees 

(b)  if  a*(R)+i  <  sr  then  R  sees  t/WKMW+t) 

2.  If  sr  <  ft(R)  then  R  sees 

Moreover,  it  is  immediate  from  Definition  4  that  case  1(b)  is  impossible 
if  <i>(R)  =  j,  which  is  the  case  when  v  is  assumed  to  be  only  safe.  This 
definition  also  implies  that  fj  <  sr  if  and  only  if  »  =  j.  Thus,  when  v  is 
only  safe,  R  sees  t>lMl  in  the  new  system  execution  if  and  only  if  it  does 
in  the  old,  proving  B3.  For  the  case  when  v  is  regular,  B3  and  B4  follow 
immediately  from  the  fact  that  R  returns  the  value  This  finishes  the 

proof  of  Proposition  8. 

To  complete  the  proof  of  Proposition  9, 1  first  show  that,  if  <j>(R)  <  4>(S) 
for  reads  R  and  5,  then  fR  <  s's.  The  third  hypothesis  about  <f>  implies  that, 
if  4>{R)  <  then  sr  <  fs.  By  the  definition  of  s's,  this  implies  that  s's 
is  greater  than  each  of  the  three  quantities  of  which  s'R  is  the  maximum,  so 
s'R  <  s’s.  Since  reads  are  instantaneous  with  respect  to  s',  f,  this  implies 


I  must  construct  a  new  global-time  model  a",/",  in  which  writes  are 
also  instantaneous  and  61-B3  are  still  satisfied,  so  that  a",f  is  the  same 
as  s' ,f  except  for  writes,  and  for  any  write  Vl*l:  a'k  <  ak  <  fk  <  f'k.  (Note 
that  B5  follows  from  the  fact  that  reads  and  writes  are  instantaneous,  and 
B4  follows  from  B3  and  B5.) 

Let  s'k  be  the  maximum  of  the  two  quantities  a'k  and  ma x{fR  :  <f>(R)  = 
k  —  1}+,  and  let  fk  be  (s*)+.  Since  is  one  of  the  values  “seen*  by 

R  in  the  system  execution  defined  by  s',/*,  if  4>(R)  —  k  —  1  then  s'R  <  fk, 
which  implies  that  s'k  <  fk.  We  therefore  have  a'  <  a"  <  f  <  f,  and  reads 
and  writes  are  both  instantaneous  in  a",f".  Again,  B1  and  B2  are  trivial, 
so  I  need  only  prove  B3. 

Since  reads  and  writes  are  instantaneous,  B5  holds — a  read  R  sees  «M; 
I  must  show  that  i  =  <t>(R).  The  definition  of  a"  implies  that  /«  =  /«< 
45(H)+i*  l  must  therefore  show  that  a'^n)  <  >'r-  Id  the  global-time  model 
s',/1,  the  read  R  “sees  the  value*  so  <  a'R.  By  definition  of  a", 

we  can  have  >  s'R  only  if  there  exists  some  R!  with  <t>(R')  <  <t>(R)  and 
fR>  >  s'R.  However,  I  showed  above  that  R!  <  R  implies  }'R,  <  s'R,  which 
completes  the  proof. 


